Full Disclosure mailing list archives

Re: How to Report a Security VulnerabilitytoMicrosoft

From: "Jason Coombs" <jasonc () science org>
Date: Mon, 11 Apr 2005 07:40:04 +0000 GMT

Paul (greyhatsecurity.org) wrote:

We went out to dinner on a couple
occasions and had a good time


Wow, Paul. You sell your soul for a couple of mouthfuls of food?

No way is Microsoft to be trusted just because there are a bunch of potentially-good people doing technical work in the 
trenches. They are called 'pawns' and the abuse and exploitation of those people is legendary.

I say 'potentially' good because any one of them could, at any moment, quit Microsoft and by so doing prove themselves 
dedicated to creating a better future for everyone, even when it means a little personal hardship to do so.

The question that matters is who are the executives of Microsoft, and what are they doing today?

You may have temporarily forgotten that the executives at Microsoft have done terrible things that have harmed every 
person on Earth. Fortunately, the rest of us haven't.

Microsoft must know how to pick a nice bottle of wine.

Regards,

Jason Coombs
jasonc () science org

-----Original Message-----
From: tuytumadre () att net
Date: Mon, 11 Apr 2005 07:22:47 
To:"Morning Wood" <se_cur_ity () hotmail com>
Cc:full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] How to Report a Security Vulnerability
        toMicrosoft

this is basicly the same response I had from my OWA advisory ...

VI. VENDOR RESPONSE 

Microsoft has reviewed the issue and has made the determination that 
while a bug fix may be implemented in a future service pack, a security 
advisory/patch will not be released for this issue


therefore, in the interest of everones security, iDefense released the 
advisory ( as did I ) without a patch being released first. 
it is quite possible they ( Microsoft ) are trying to make out like they 
were'nt contacted before said advisory was released.... but that is just my 
opinion on observation. 

my 2 bits, 

Donnie Werner

That response was given to me when I reported a DoS vulnerability for Internet Explorer (which, might I add, required
user interaction). It simply meens that the reported vuln, on a severity scale of 1-10, would pretty much be given a 1.
If I'm not mistaken, your OWA vulnerability just spoofs the From address. Although some forms of social engineering
MIGHT be possible, there is ultimately no use for something this minor. Think for a second about how much time and
resources, including human labor required to produce the patch as well as the technology department employees that must
install patches on every computer in large corperations, goes into making a patch. First of all, there's the whole
problem with does the solution break 3rd party software. Also theres a problem with cross-platform software (they do
have stuff for Mac you know). Another thing they have to worry about is how much money and resources it costs companies
other than Microsoft to apply the patches. When c
ommon people start seeing a lot of patches, they start losing faith in the software, which is bad for Microsoft.
Therefore, the bad outweighs the good when determining whether to provide a patch for something as insignificant as
your OWA advisory. I am not saying that I don't respect your efforts. I am just trying to get accross the message that
Microsoft is not out to get us. Everyone thinks of them as this big evil monopolistic empire, but they're not. By the
way, has anyone read Writing Secure Code by some of the guys from Microsoft? It's pretty interesting, and it offers
some insight as to what are considered critical vulnerabilities and what are considered vulnerabilities with little or
no severity. Believe me when I tell you (as I have had 1 on 1 conversations with many security vip's at Microsoft
Campus) that Microsoft is doing everything that they can to ensure you a safe, enjoyable experience while using their
software.

Btw, Mr. Werner, you seem to be among the common group of anti-Microsoft individuals. May I ask what the vendor of your
operating system is? What about your browser? Maybe even your word processor or html editor? Uh-huh, that's what I
though.

Regards,
Paul
Greyhats Security
http://greyhatsecurity.org

P.S. I do NOT work for Microsoft. I was merely invited to visit their campus and meet some of their people. Very nice
bunch of folks they are. We went out to dinner on a couple occasions and had a good time.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: How to Report a Security VulnerabilitytoMicrosoft Jason Coombs (Apr 11)
- Re:How to Report a Security VulnerabilitytoMicrosoft Thomas Zangl - Mobil (Apr 11)
  - Re: How to Report a Security VulnerabilitytoMicrosoft Dan Becker (Apr 11)
- <Possible follow-ups>
- Re: How to Report a Security VulnerabilitytoMicrosoft tuytumadre (Apr 11)
  - Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 11)
    - Re: How to Report a Security VulnerabilitytoMicrosoft Bipin Gautam (Apr 12)
    - Re: How to Report a Security VulnerabilitytoMicrosoft bkfsec (Apr 13)
    - Re: How to Report a Security VulnerabilitytoMicrosoft Georgi Guninski (Apr 12)
    - Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
    - Re: How to Report a Security VulnerabilitytoMicrosoft Valdis . Kletnieks (Apr 12)
    - Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)

(Thread continues...)