Jump to content

ael

Members
  • Content Count

    3
  • Joined

  • Last visited

Everything posted by ael

  1. I'm very sad but somewhat not suprised to hear that you as a "supposed security vendor" are not familiar with the term defense (or security) in depth. This is one of the basic security principles when building secure systems. In a nutshell, security of a certain system must not be dependable on a single component whose failure would cause compromise of the system. Instead, security must be built in from the start and in each in every component. That's exactly what you failed to provide. You're entirely wrong when you say "most vendors don't bother to protect their drivers from being accessed by any program" - that's simply not true, at least for the drivers I mentioned in my previous post. Some security applications (I won't name them) have no authentication scheme, yet they are very secure, and their functionality is very similar to that of SAS. How is that possible? Because they use entirely different architecture/design and methods of reporting to user mode regarding critical functions, and don't have simple programming mistakes that your drivers do have. And Nick (I won't put it into quotation marks), you're actually wrong about entire "all functions in our driver are not accessible without authentication - PERIOD" part. I'm sure you'll delete this part, but you'll read it anyway, so it's worth writing - what if someone injects a new thread in SAS process? Thread (i.e. code) would run in SAS context, thus being registered with the driver and could exploit all vulnerabilities I discovered. SAS does not prevent thread injection, at least not in free edition. Your "authentication scheme" is useless here, since that thread would come from an already registered process. Think about that, I think I gave you a valuable advice. I think I helped your customers more than you think. Since your "fixes" between versions were inadequate, and since you rejected my help, publication of my advisory is probably going to persuade you to fix your program correctly this time. I think the time was well spent. Please, post here my e-mail where I "clearly said I will NOT publish the authentication scheme to the driver". I'm certain you won't be able to post it, since I never said that. I said that: Since you failed to reply to my e-mail and were considering me a nuisance and extortioner, I changed my mind and published the advisory. I believe I had every right to do so, since you failed to follow procedure specified by the policy. It would be great if you actually cared for your customers instead of caring only for your company - you never mentioned customers in your replies, and I believe they are the most affected ones, not your company.
  2. I see you shortened my post and removed the most relevant parts. I'm sure you'll do it again, since it's your forum, your domain and you can do whatever you want. So much for being "professional".. You're welcome to provide evidence where I was extorting you. I'm not going to repeat myself, since you removed most of my post, and you're probably going to do that again. I was not extorting you, I was not requesting details of your code. Certain procedure exists in security community, and I followed it very closely. You however failed to do that... I hope you, as a "supposed security application vendor" will make secure and decent program this time. If you have provided status updates and your mitigation plan, malware authors would only have information about OLD vulnerabilities which do not work on the new version. As a "security application vendor" you should know that cooperating with the security community is going to benefit you more than it's going to hurt you. Nick, you're mentioning your "authentication scheme" over and over again. I'll emphasize again that there are MANY applications (security related or not) without ANY "authentication scheme" which are VERY secure. Some of them have functionallity which is VERY similar to that of SAS, they don't use "authentication scheme" AT ALL and they are still very tight, very secure and very hard to exploit. You're basically saying that none of the authors that post regulary to Bugtraq and (more or less) to Full-disclosure are not acting like a security professionals.. If you're pretending to be a security application vendor, then act like one - I never had any problems during vulnerability reports, this is the first time I had difficulties and problems while reporting a vulnerability. If you're security application vendor, than be responsible and fix your product. Have fun fixing your program and editing my post.
  3. My name is Luka Milkovic and yes, I reported certain vulnerabilities in SUPERAntiSpyware and Super Ad Blocker. I'd first like to say that I have no interest in badmouthing SUPERAntiSpyware or Super Ad Blocker, I do not have a secret agenda, and wasn't specifically aiming SAS during my vulnerability resarches.
×
×
  • Create New...