[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: Backdoors in Windows desktop PCs
From:       Russ <Russ.Cooper () RC ! ON ! CA>
Date:       1999-07-30 15:22:06
[Download RAW message or body]

Richard Smith made reference to;

>This second problem was first found late last year by
>another person, but for some reason never fixed by Compaq.
>I would like to give this person proper credit here for finding this
>security hole, but unfortunately his Web site right now gives a
>a bit too many details about how to exploit the security hole.

I had a private conversation back in November last year with the
individual Richard is referring to. His name is Frank Farance and the
site he refers to is;

<http://www.farance.com/etc/ie40-security-bug-19981120/index.html>

Frank never posted anything to NTBugtraq, I contacted him about this
after reading information about it forwarded to me from another mailing
list. Frank and I ended up in somewhat of an argument at the time due to
my stupidity. Ultimately I tried to tell Frank the problem wasn't with
IE, but with the Compaq applet. The issue did get reported to CERT and
Microsoft Security,  and CERT indicated "we have passed the information
along to our vendor contact for their information and review."

Compaq are notorious for burying their heads in the sand and pretending
no vulnerabilities exist. It is then not surprising that Richard could
purchase a Compaq box with the insecure applet installed more than 8
months after Compaq were notified their applet was insecure.

During the recent RDS issue, Compaq lied to MSNBC when they told them
they "acted as soon as they were informed". This is bull since I tested
their site when the MSNBC story published and found it to be *still
vulnerable*. I reported this fact to the Compaq Customer Care unit, the
only mechanisms I could find to contact them. An hour after my call
their sites were no longer vulnerable to my tool, but obviously were
still vulnerable to .rfp.'s.

While not strictly an NT issue, given Compaq's position in the NT
community (most NT Servers run on Compaq boxes IMO), their attitude
towards security and their products is frightening.

Cheers,
Russ - NTBugtraq Editor

[prev in list] [next in list] [prev in thread] [next in thread]