Full Disclosure (mailing list)

Last updated

Full Disclosure is a "lightly moderated" security mailing list generally used for discussion about information security and disclosure of vulnerabilities. The list was created on July 9, 2002, by Len Rose and also administered by him, who later handed it off to John Cartwright. After Len Rose shut down netsys.com, the list was hosted and sponsored by Secunia. [1]

Contents

The Full Disclosure mailing list was originally created because many people felt that the Bugtraq mailing list had "changed for the worse". [2]

In March 2014 Cartwright shutdown the original Full-Disclosure mailing list because an "unnamed" security researcher made requests for large-scale deletion of information and threatened legal action. [3] Cartwright wrote on the list's homepage, "I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to. I never imagined that request might come from a researcher within the 'community' itself." [3] [4]

On March 25, 2014, the list was "rebooted" by Fyodor. [5] The site is now part of seclists.org and no longer associated with grok.org.uk.

Notable 0-days first disclosed in Full Disclosure

Email subjectSoftwareDateRef.
Defense in depth -- the Microsoft way (part 14): incomplete, misleading and dangerous documentation Windows NT 2013-11-24 [6]
Defense in depth -- the Microsoft way (part 11): privilege escalation for dummies Windows NT 2013-10-02 [7]
The history of a -probably- 13 years old Oracle bug: TNS Poison Oracle Database 2012-04-18 [8]
Apache Killer Apache HTTP Server 2011-08-26 [9]
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Help and Support Center 2010-06-10 [10]
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack Windows NT 2010-01-19 [11]

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

<span class="mw-page-title-main">Internet Information Services</span> Extensible web server software by Microsoft

Microsoft IIS is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTP/3, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions, and is not active by default. A dedicated suite of software called SEO Toolkit is included in the latest version of the manager. This suite has several tools for SEO with features for metatag / web coding optimization, sitemaps / robots.txt configuration, website analysis, crawler setting, SSL server-side configuration and more.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

The Open Sourced Vulnerability Database (OSVDB) was an independent and open-sourced vulnerability database. The goal of the project was to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promoted greater and more open collaboration between companies and individuals. The database's motto was "Everything is Vulnerable".

Patch Tuesday is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003. Patch Tuesday is known within Microsoft also as the "B" release, to distinguish it from the "C" and "D" releases that occur in the third and fourth weeks of the month, respectively.

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

<span class="mw-page-title-main">CERT Coordination Center</span>

The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/CC researches software bugs that impact software and internet security, publishes research and information on its findings, and works with businesses and the government to improve the security of software and the internet as a whole.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month, and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.

<span class="mw-page-title-main">Microsoft account</span> User account required for Microsoft-owned services

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

SMBGhost is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. "Full-Disclosure Mailing List Charter".
  2. Cartwright, John (July 7, 2002). "Announcing new security mailing list" . Retrieved November 15, 2020.
  3. 1 2 Constantin, Lucian (March 19, 2014). "Full Disclosure mailing list shuts down indefinitely". Computerworld . Retrieved November 15, 2020.
  4. Cartwright, John (February 6, 2019). "Full-Disclosure mailing list" . Retrieved November 15, 2020.
  5. Fyodor (2014-03-26). "Rebooting the Full Disclosure list" . Retrieved 2014-03-26.
  6. "MS14-019 - Fixing a binary hijacking via .cmd or .bat file". 28 August 2023.
  7. Bellovin, Steven; Blaze, Matt; Clark, Sandy; Landau, Susan (April 2014). "Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet". Northwestern Journal of Technology and Intellectual Property. 12 (1): 1.
  8. "Unpatched Oracle database vulnerability accidentally disclosed". 5 January 2012.
  9. "Defending Against The 'Apache Killer' Exploit".
  10. "Google researcher gives Microsoft 5 days to fix XP zero-day bug". 10 June 2010.
  11. "Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released".