Full Disclosure mailing list archives
Re: MSIE src&name property disclosure
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Mon, 8 Nov 2004 15:13:57 +0100 (CET)
On Mon, 8 Nov 2004, Berend-Jan Wever wrote:
In response to statements found at http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
Yup. But what amuses me most, is the following bit: "Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw, the company said in an e-mail statement to CNET News.com." When you posted your first message confirming that the problem is exploitable, I forwarded it to secure () microsoft com, so that they know they have a problem in case they do not read Full-Disclosure. I got no response. Later, when you posted a working exploit, I sent them another forward, including a remark it is probably a good idea to react now, if they failed to do so before. In response, I got a mail from "Lennart" of Microsoft Security Response Center, saying that they are aware of the problem and read mailing lists, and that my original mail simply got lost in the noise. Several days later, this statement surfaces in an article, showing beyond any doubt that they are, quite simply, lying to the public to save face and gain time. As much as I am not a rabid Microsoft hater, this pissed me off more than a bit. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-11-08 15:09 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSIE src&name property disclosure Berend-Jan Wever (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) bipin gautam (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) kf_lists (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) jamie fisher (Nov 08)
- CyberGuard and their desired retraction (was Re:MSIE src&name property disclosure) security curmudgeon (Nov 11)
- Re: MSIE src&name property disclosure Michal Zalewski (Nov 08)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 08)
- Re: MSIE src&name property disclosure Gadi Evron (Nov 08)
- RE: MSIE src&name property disclosure joe (Nov 15)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 15)
- RE: MSIE src&name property disclosure joe (Nov 15)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 15)
- Re: MSIE src&name property disclosure Micheal Espinola Jr (Nov 15)
- Re: MSIE src&name property disclosure Dave Aitel (Nov 08)
- Re: MSIE src&name property disclosure ("E" - GORILLA WAR stratigy? ) bipin gautam (Nov 08)
- Re: MSIE src&name property disclosure Michal Zalewski (Nov 08)
- Re: MSIE src&name property disclosure Georgi Guninski (Nov 08)