A new (or maybe not so new) market [Vulnerability market,that is]

To be honest I was very surprised when I was reading an article about what is called the
“vulnerability market”.
It seems that currently there is a thriving(possibly an overstatement) market for vulnerabilities.
In other words a person or group discovers a vulnerability and it offers it to the highest bidder.

Why would someone want to buy a vulnerability?


This is a good question- I think that there might be several reasons for buying a vulnerabilities:


  1. If you are in the business of corporate espionage, you might want to have it in your arsenal.
  2. If you are in the business of just doing bad things for fun, you might want to have it in your arsenal.
  3. If you want the publicity for being the one that “discovered” the vulnerability, you might want to have it in your arsenal.

The first and the third reasons intrigue me:
If you are a shadow dweller that makes money by stealing information from corporate information systems
obtaining knowledge about undiscovered/unexploited vulnerabilities has to be worthless. Your target
can not, and does not expect you to use that angle of attack since he is not aware that he is vulnerable-this might
provide you with the edge you need.
Obviously it would be in your best interest to keep the vulnerability to yourself and leave it undisclosed for
as long as possible.

As for the publicity-by being the firm that has “discovered” such a vulnerability you might gain a better perception
in the publics eye as being proactive and identifying vulnerabilities-for a security company this might be worthless.
The issue to debate here is what happened to ethics?

Blackberry and Goodlink may be affected by Exchange store patch

I happened to stumble upon this one by chance-and I do admit I am really happy since
I am very familiar with the situation. It seems that a patch intended for the information store
changes the behavior of permissions thus causing lose of functionality of the aforementioned services.


For additional information on this topic please visit:


http://support.microsoft.com/kb/912918/en-us


http://support.microsoft.com/kb/895949/


And the post on the Exchange team blog:


http://blogs.technet.com/exchange/archive/2006/01/13/417440.aspx

The virtues of ResolveP2 Functionality

In some cases you may have contacts or mailboxes(on Exhcange) that have custom SMTP addresses
associated with them. Users may be using these addresses(with some SMTP client) as source addresses
for sending e-mails to their peers.

When their peers receive the e-mail they will see the sender in standard SMTP format.
If you want them to see the sender as a standard user(no trailing SMTP address) you might
want to take advantage of ResolveP2 Functionality.


This is described in:


http://support.microsoft.com/default.aspx?scid=kb;en-us;288635


Keep in mind though that some see in enabling this functionality a security threat since
anyone can configure a specific address as the senders address and thus try to pose as
a legitimate user…My opinion is that if this is the only way of identifying a fraudulent e-mail
then you are introuble…