Exploits
Results 1 to 7 of 7

Thread: Exploits

  1. #1
    Senior Member
    Join Date
    Aug 2004
    Posts
    149

    Exploits

    hay guys I have a question....

    lets say that I found a huge exploit/ flaw in MS SP2 security who would I report this to????? could someone end up in jail for finding an flaw such as this????

    just a couple of questions I was curious about....

  2. #2
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    There have been people that landed in jail for many things. However your safest bet [I think] is to send it to SecurityFocus BUGTRAQ [along with some proof-of-concept code] and they'll send it to MS or whatnot... Alternatively you could directly let MS know about it through an e-mail [let's say you go to a webcafe and do it from there, with a new e-mail account and whatnot, if you're really worried]
    /\\

  3. #3
    Banned
    Join Date
    Jul 2004
    Posts
    297
    http://windowsbeta.microsoft.com/xps...k/default.aspx

    also if your the one that has the service pack installed there should be a shortcut on the desktop that takes you to this same site

  4. #4
    Banned
    Join Date
    Apr 2004
    Posts
    843
    Originally posted here by hypronix
    However your safest bet [I think] is to send it to SecurityFocus BUGTRAQ [along with some proof-of-concept code] and they'll send it to MS or whatnot...
    *Tisk *Tisk... I would recommend contacting the vendor yourself first. And if needed I would also send in a report with dissassembled portions of code showing the vulnerable input streams in their software... then simply & quickly explain why this is a problem before actually sending in an actual exploit first. I would only take the advice quoted above as a last ditch effort to be heard.

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Originally posted here by TheSpecialist
    *Tisk *Tisk... I would recommend contacting the vendor yourself first. And if needed I would also send in a report with dissassembled portions of code showing the vulnerable input streams in their software... then simply & quickly explain why this is a problem before actually sending in an actual exploit first. I would only take the advice quoted above as a last ditch effort to be heard.
    BUT you did not fully quote me . Because I did mention contacting the vendor initially, I know most exploiters do that [of course it all depends on what colours they wear]. But in case he is seriously scared about releasing the exploit to MS due to legal reasons he could use the SecurityFocus option. I'm not sure whether SF releases the info right away or if they forward it to the vendor [the site is owned by Symantec so I'm pretty sure they're not eager to get in any legal issues with MS].

    Anyway if you indeed discovered some serious flaw in SP2, allow me to congratulate you!
    /\\

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    472
    and just a bit of advise dont ever post the binaries just post the source code.....in certail countries under the jurisdiction(probably US included)..posting exploit binaries is considered a virus like activity....so keep away from LAW hassles.....

    jusy my $0.02
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Originally posted here by NullDevice
    and just a bit of advise dont ever post the binaries just post the source code.....in certail countries under the jurisdiction(probably US included)..posting exploit binaries is considered a virus like activity....so keep away from LAW hassles.....

    jusy my $0.02
    Good point! Actually there would be no gain in posting the binaries anyway, because they do not prove anything about the code, nor do they show how the vulnerability is exploited. Somebody could reverse engineer it, but that's a hassle not needed.

    Actually I was reading something on SecurityFocus yesterday and they did mention the legal restrictions of posting binaries [it was a walkthrough for setting a box and exploiting it remotely, and they were only posting links to the source code].
    /\\

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •