I would urgently request to remove the message. I found when I press "Tell me more" and internet explorer session is started. With that "Local System" account I can do anything (starting explorer etc..) on that computer (via file > open in IE) without logging on!! This is a MAYOR security concern.
It is not fixed on Monday, do you realize you have released a mayor security breach, and are not solving it with the same urgency? I'm a developer, so I know solving this is really a peace of cake. Takes about 10 minutes to adapt your software.
This update is going to have other fixes and a reworked MSI Configurator. Today we'll be doing final testing before we provide it. So it's not this only bug that this update is going to fix.
Although the bug you mention is a security concern, it is not THAT major or urgent as you might imagine. If it is of so much extreme importance for you please restrain from distributing your Host installer for a while before we provide an update.
Sorry, we do not utilize a "piece of cake" approach. We need to make sure that the next update has been tested before we can make it public. Besides, publicly speaking about found exploits doesn't make your existing installations more secure, hope you understand.
Conrad wrote: Sorry, we do not utilize a "piece of cake" approach.
Not a really friendly comment towards your customers.
If you don't like exploits in your application, you should treat them as such, and be honest towards your customers.
This is my last post here, I will recommend towards our security officer not to continue with your product, this text (not the post, will likely be deleted in minutes by admin), will be forwarded to them.
We will not delete the post. If we were afraid of having discussions on our site, we wouldn't have a forum in the first place. As you can see - everyone here can speak. Of course, if they follow our forum rules.
As for the subject:
1. This exploit only appears if you run a custom Host installer with the "Generate ID" function enabled AND if you click the "Tell me more" button.
2. This bug can only potentially be exploited by the remote user himself - to elevate their permissions. Yes, perhaps there might be other far less probably uses, but overall it has a very limited application/scope.
In this specific case marking your post as "BIG SECURITY ISSUE" could be misleading. Someone who visits our forum may think that our software in general has a big security issue that applies to absolutely all cases, which is very far from the truth.
So instead of posting here on the forum you could just send us a ticket or an email, and this bug would have been fixed in a few days without anyone even knowing about it, which is good for security. Security issues are not something that should be immediately disclosed - it is advisable to contact the developers privately first, and see how they respond. And if they don't respond and refuse to deal with the issue it may be time to use public pressure. Unfortunately, you decided to use public pressure right from the start as if we were unresponsive or unwilling to fix issues.
We never said that we didn't like when our customers or users let us know about exploits in our software. Quite the contrary, we can only be thankful for that and we encourage users to send us security bugs - the more the merrier. However, our concern is that making such information public BEFORE the bug is fixed is somewhat imprudent and can diminish security for existing users who use that specific feature. This is certainly not a proper way security bugs should be dealt with.