Domain: sec-consult.com
Stories and comments across the archive that link to sec-consult.com.
Comments · 4
-
Original source for Advisory
SEC Consult Vulnerability Lab Security Advisory - 20130124-0
title: Critical SSH Backdoor in multiple Barracuda Networks Products
vulnerable products: Barracuda Spam and Virus Firewall
Barracuda Web Filter
Barracuda Message Archiver
Barracuda Web Application Firewall
Barracuda Link Balancer
Barracuda Load Balancer
Barracuda SSL VPN
(all including their respective virtual "Vx" versions)vulnerable version: all versions Security Definition 2.0.5
fixed version: Security Definition 2.0.5
impact: Critical
homepage: https://www.barracudanetworks.com/
found: 2012-11-20
by: S. Viehbck
SEC Consult Vulnerability Lab
https://www.sec-consult.com -
Re:err, why?
Gee, thanks god there never was a "Curse of Silence" for Symbian. Not to mention From 0 to 0day on Symbian.
-
Way to drag your feet, Microsoft
Zero-day? Hardly. Microsoft has known about this vulnerability for quite a while. From the Sec-Consult group who first put out its advisory two weeks ago--the same time that the IE7 vulnerability came out:
20081209_mssql-sp_replwritetovarbin_memwrite.txt
Patch:
------According to an email received by Microsoft in September, a fix for this vulnerability has been completed.
The release schedule for this fix is currently unknown.Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 12-09-2008
Update (added SQL Server 2005, thanks Moreno Zilli): 12-10-2008Why is Microsoft dragging their feet in releasing the patch?
-
More Misdirection from the Masters
I can't believe that people are lapping this up.
The so-called vulnerability that Microsoft claim to have found a 0-day for in the second week of July was actually discovered by SEC-Consult, and first published on June 29, having discovered it, and notified Microsoft on June 17. There was effectively nil response from Microsoft (they claimed to have not been able to reproduce the issue...).
While many people believe that the sample object used, the javaprxy.dll, was the flaw itself, the first paragraph of the advisory (the background) indicates that it is a COM level issue, and they identified at least 20 vulnerable objects on a standard XP installation.
It was this issue that Microsoft ignored until the recent Black Tuesday updates, and then claimed ownership of via the honey monkey project.
Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.