FACTS ABOUT THE .NET PASSPORT VULNERABILITY

"This is to clarify the issue that we at PakCERT found TWO .Net Passport vulnerabilities and we were the first to discover them (only one vulnerability was discussed in mailing lists) and took it to local press here in Pakistan. We even notified Microsoft a long time back through email (secure@microsoft.com) about the two vulnerabilities but received no response and later decided to release an advisory WITHOUT technical information (as exploit method was not public then). We arranged a press conference at 8th of May and the invitation for the press conference were sent to the media on 5th May.

The guy Muhammad Faisal Rauf Danka came to know about this advisory and released the vulnerability with exploit to claim credit for the vulnerability which we discovered and made public even before him. The advisory and press conference details were on local televisions and print media."

Here we would like to add further that even though Muhammad Faisal Rauf Danka claimed to be Vice President of PakCERT on several security mailing lists but in fact, he was never associated with PakCERT in any manner.

Our conversation with Robert Lemos, who first reported this vulnerability in media

The invitation file attached with the e-mail mentioned below is available here.

Subject: Re: Microsoft Flaw discovered
Date: Sat, 10 May 2003 01:36:22 +0500
From: Qazi Ahmed <qa@pakcert.org>
To: Rob Lemos <robert.lemos@cnet.com>
CC: zd@spider.tm
BCC: pakcert@pakcert.org

Hello,

Thank you for your response. Let me clarify the misunderstanding about the abovementioned issue.

As mentioned in my previous email, PakCERT discovered not one but TWO vulnerabilities, emailed Microsoft secure@microsoft.com and later on their non-responsive attitude notified the media in Pakistan on 5th May by fax and e-mails and announced the release of these vulnerabilities and the details to be exposed on 8th May.

Yesterday, on 8th May, we organized a press conference at a local hotel and released the vulnerabilities withhelding the technical information, which if goes into wrong hands could cause grave consequences. We demonstrated the vulnerability and exploit to a closed group from local media and IT magazines and one of the attendent provided this information to Muhammad Faisal Rauf Danka on the night of 7th and he unethically released the exploit information on full-disclosure mailing list in haste to claim the credit.

Note that we already relased this information to the local media by fax on 5th May and notified Microsoft several times (even before we notified the local press through fax and e-mails on 5th May) but we have yet not recieved any response from Microsoft and even now, only one serious vulnerability has been fixed by Microsoft but the other "SECURITY QUESTION BYPASS" vulnerability still exists.

You can confirm the fax information by our local media especially from the editor of SPIDER, Miss Zunaira Durrani, the foremost authority and the largest internet magazine in Pakistan. SPIDER is a publication of DAWN GROUP OF NEWSPAPERS, the largest English language DAILY in Pakistan.

The reason for the delay email to full-disclosure and bugtraq is that we sent them e-mails AFTER the press conference on 8th May. I am attaching the invitation we sent to the local media through fax and e-mail.

You can always confirm this from any of our local media.

If you have any more queries to clarify this whole situtation, please keep in contact with us.

Hope to hear from you soon.

Regards,
Qazi Ahmed

Rob Lemos wrote:

Mr. Ahmed:I looked into these claims when another reader pointed out that your site had posted an advisory. However, you seem to have posted it several hours after the original advisory had been submitted to Full-Disclosure.If you have other data on the matter that you would like to send me, please do.-R

| robert lemos | senior staff writer | cnet news.com |<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
| v: (415) 344-2975 | e: rob.lemos@cnet.com |

-----Original Message-----
From: Qazi Ahmed [mailto:qa@pakcert.org]
Sent: Thursday, May 08, 2003 11:43 PM
To: rob.lemos@cnet.com
Subject: Microsoft Flaw discovered

This is to clearify the issue that we at PakCERT found TWO .Net Passport vulnerabilities and we were the first to discover them (only one vulnerability was discussed in mailing lists) and took it to local press here in Pakistan. We even notified Microsoft a long time back through email (secure@microsoft.com) about the two vulnerabilities but recieved no response and later decided to release an advisory WITHOUT technical information (as exploit method was not public then). We arranged a press conference at 8th of May and the invitation for the press conference were sent to the media on 5th May.

The guy Muhammad Faisal Rauf Danka came to know about this advisory and released the vulnerability with exploit to claim credit for the vulnerability which we discovered and made public even before him. The advisory and press conference details were on local televisions and print media."

You can find the PakCERT advisoty at
http://www.pakcert.org/advisory/PC-080503.html

Regards,
-QA

 

All rights reserved. Copyright© PakCERT 2000-2024