Full Disclosure mailing list archives
Re: Internet Explorer User Interface Races, Redeux
From: "Robert Lemos" <robert.lemos () yahoo com>
Date: Thu, 27 Apr 2006 01:22:53 +0100
V. VENDOR RESPONSE * Microsoft was informed of this vulnerability on October 20, 2005. * As part of its December patch cycle, Microsoft issued the incomplete MS05-054 patch which plugged a specific instance of this issue that had been previously reported by Secunia. * MS05-054 does indeed provide minimal protection against subversion of the download prompting feature, but makes no attempt to secure other potential risk points. * Contact with some members of the MSRC continued from the October report beyond this point, but contact from the assigned investigator did not take place until February 15, 2006. * At that point in time, I was told that the vulnerability had been classed as a "Service Pack" fix, meaning that users of Windows 2000 will not receive a fix for this vulnerability. * Further, the MSRC disputed my assessment that the vulnerability was at all similar to CVE-2005-2289 (the File Download vulnerability patched by MS05-054). * Shortly after that decision, I informed MSRC that its assessment was incorrect and also that I had tentatively planned to disclose on April 24. * MSRC could not provide me with a compelling justification for its choice of release timeframe. In a rather threatening e-mail, I was finally asked for exploit code, as well as justification of "why this issue is so important". * After about an hour of work to actually write it, I provided the code to MSRC two days later on March 24. * There is no further contact from MSRC following this point. MSRC, for its troubles, got a two day reprieve because I was not yet prepared to disclose. So, I've (coincidentally) disclosed this issue in keeping with Michal Zalewski's informal "Bug Wednesday and Patch Saturday" policy. My experience with MSRC shows that Zalewski's strong objections to the generally-adversarial nature of the MSRC process and its lack of constructive results (particularly when Internet Explorer is involved) are well-founded. Simply put, don't shoot the messenger when your vendor and its patch processes are the problem most in need of a solution.
Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is exactly what I need to make the Securityfocus homepage exciting again. -R http://360.yahoo.com/robert.lemos _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Internet Explorer User Interface Races, Redeux Matthew Murphy (Apr 26)
- Re: Internet Explorer User Interface Races, Redeux Robert Lemos (Apr 26)
- Re: Internet Explorer User Interface Races, Redeux Matthew Murphy (Apr 26)
- Re: Internet Explorer User Interface Races, Redeux Morning Wood (Apr 26)
- Re: Internet Explorer User Interface Races, Redeux Georgi Guninski (Apr 27)
- Re: Internet Explorer User Interface Races, Redeux Matthew Murphy (Apr 27)
- Re: Internet Explorer User Interface Races, Redeux n3td3v (Apr 27)
- Re: Internet Explorer User Interface Races, Redeux Matthew Murphy (Apr 26)
- Re: Internet Explorer User Interface Races, Redeux Robert Lemos (Apr 26)
- <Possible follow-ups>
- Re: Internet Explorer User Interface Races, Redeux Zh Linlin (Apr 26)
- RE: Internet Explorer User Interface Races, Redeux Antczak, Ed (Apr 27)
- bypassing Windows Domain Group Policy Objects Exibar (Apr 27)
- Re: bypassing Windows Domain Group Policy Objects Michael Holstein (Apr 27)
- Re: bypassing Windows Domain Group Policy Objects Michael Holstein (Apr 27)
- bypassing Windows Domain Group Policy Objects Exibar (Apr 27)