lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Apr 27 01:23:01 2006
From: robert.lemos at yahoo.com (Robert Lemos)
Subject: Internet Explorer User Interface Races, Redeux

> V. VENDOR RESPONSE
>
> * Microsoft was informed of this vulnerability on October 20, 2005.
>
> * As part of its December patch cycle, Microsoft issued the incomplete
> MS05-054 patch which plugged a specific instance of this issue that had
> been previously reported by Secunia.
>
> * MS05-054 does indeed provide minimal protection against subversion
> of the download prompting feature, but makes no attempt to secure other
> potential risk points.
>
> * Contact with some members of the MSRC continued from the October
> report beyond this point, but contact from the assigned investigator
> did not take place until February 15, 2006.
>
> * At that point in time, I was told that the vulnerability had been
> classed as a "Service Pack" fix, meaning that users of Windows 2000 will
> not receive a fix for this vulnerability.
>
> * Further, the MSRC disputed my assessment that the vulnerability was
> at all similar to CVE-2005-2289 (the File Download vulnerability patched
> by MS05-054).
>
> * Shortly after that decision, I informed MSRC that its assessment was
> incorrect and also that I had tentatively planned to disclose on April
> 24.
>
> * MSRC could not provide me with a compelling justification for its
> choice of release timeframe.  In a rather threatening e-mail, I was
> finally asked for exploit code, as well as justification of "why this
> issue is so important".
>
> * After about an hour of work to actually write it, I provided the code
> to MSRC two days later on March 24.
>
> * There is no further contact from MSRC following this point.
>
> MSRC, for its troubles, got a two day reprieve because I was not yet
> prepared to disclose.  So, I've (coincidentally) disclosed this issue in
> keeping with Michal Zalewski's informal "Bug Wednesday and Patch
> Saturday" policy.  My experience with MSRC shows that Zalewski's strong
> objections to the generally-adversarial nature of the MSRC process and
> its lack of constructive results (particularly when Internet Explorer
> is involved) are well-founded.  Simply put, don't shoot the messenger
> when your vendor and its patch processes are the problem most in need
> of a solution.

Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is
exactly what I need to make the Securityfocus homepage exciting again.

-R
http://360.yahoo.com/robert.lemos

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ