[Dailydave] Re: [sr] Wins investigation for MS04-006

Fri Jun 11 14:25:10 EST 2004

On Friday 11 June 2004 14:05, you wrote:
> You did work with us on this investigation, and if you would like to  
> have co-credit for this issue, then I'm more than happy to add you to 
> the security bulletin. 

I am sorry it was interpreted that way, I actually couldn't care less 
about the credit, the only reason I brought up the WINS issue was the 
mention of OIS (which was relevent to the current topic on the mailing 
list). The point I was trying to make was that vendors are pushing to get 
security researchers to use the OIS guidelines for vulnerability 
reporting. The "work with us, or get no credit" stance has also been a 
long-running theme with Microsoft security, personally I have run across 
it about three times now (going back to 1998 or so). With regards to 
HITB, I do feel that they were pressured by Microsoft into not releasing 
their advisory, however since they have made no official response...

> I can mention as well that we are aware of other recent reports of
> another WINS issue, is it possible that this is the issue that you had
> found originally?

It could be, but I have not checked and have no interest in persuing it. I 
am aware of alternate exploits that were resolved by the same patch, 
these seem to be based off the same issue that I ran across here. Maybe 
someone else on the DD list would like to speak up about their exploit 
code :)

-HD

----------  Forwarded Message  ----------

Subject: [sr] Wins investigation for MS04-006
Date: Friday 11 June 2004 14:05
From: "Microsoft Security Response Center" <secure at microsoft.com>
To: "H D Moore" <hdm at digitaloffense.net>
Cc: "Microsoft Security Response Center" <secure at microsoft.com>

H.D,

I've read your recent postings about the events that took place around
MS04-006. I'm sorry you feel that I in some way did not provide you with
the level of credit you felt that you deserved relating to this case. It
was my understanding that  'the hack in the box folks' owned the credit
and release of data for this issue on your side. And at no other time
did you mention credit in the bulletin or provide preferred credit
details.

If I was mistaken, then I would like to apologize and I would like to
try to correct it. You did work with us on this investigation, and if
you would like to have co-credit for this issue, then I'm more than
happy to add you to the security bulletin.

Please let me know if you would like this and which email or web url
(but not both) that you would prefer to use.

Also, you state that we really did not understand the issue, if you have
had more time to work on code relating to this issue and it's still not
patched somehow, I'm more than happy to open a new investigation and try
to work together again on these points.

I can mention as well that we are aware of other recent reports of
another WINS issue, is it possible that this is the issue that you had
found originally?

Best Regards

Scott

-------------------------------------------------------