Re: Internet Explorer User Interface Races, Redeux

["Robert Lemos" <robert.lemos () yahoo com>]

> V. VENDOR RESPONSE
>
> * Microsoft was informed of this vulnerability on October 20, 2005.
>
> * As part of its December patch cycle, Microsoft issued the incomplete
> MS05-054 patch which plugged a specific instance of this issue that had
> been previously reported by Secunia.
>
> * MS05-054 does indeed provide minimal protection against subversion
> of the download prompting feature, but makes no attempt to secure other
> potential risk points.
>
> * Contact with some members of the MSRC continued from the October
> report beyond this point, but contact from the assigned investigator
> did not take place until February 15, 2006.
>
> * At that point in time, I was told that the vulnerability had been
> classed as a "Service Pack" fix, meaning that users of Windows 2000 will
> not receive a fix for this vulnerability.
>
> * Further, the MSRC disputed my assessment that the vulnerability was
> at all similar to CVE-2005-2289 (the File Download vulnerability patched
> by MS05-054).
>
> * Shortly after that decision, I informed MSRC that its assessment was
> incorrect and also that I had tentatively planned to disclose on April
> 24.
>
> * MSRC could not provide me with a compelling justification for its
> choice of release timeframe.  In a rather threatening e-mail, I was
> finally asked for exploit code, as well as justification of "why this
> issue is so important".
>
> * After about an hour of work to actually write it, I provided the code
> to MSRC two days later on March 24.
>
> * There is no further contact from MSRC following this point.
>
> MSRC, for its troubles, got a two day reprieve because I was not yet
> prepared to disclose.  So, I've (coincidentally) disclosed this issue in
> keeping with Michal Zalewski's informal "Bug Wednesday and Patch
> Saturday" policy.  My experience with MSRC shows that Zalewski's strong
> objections to the generally-adversarial nature of the MSRC process and
> its lack of constructive results (particularly when Internet Explorer
> is involved) are well-founded.  Simply put, don't shoot the messenger
> when your vendor and its patch processes are the problem most in need
> of a solution.

Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is
exactly what I need to make the Securityfocus homepage exciting again.

-R
http://360.yahoo.com/robert.lemos

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/