lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041108150913.X14239@dekadens.coredump.cx>
Date: Mon, 8 Nov 2004 15:13:57 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ttot.org>
To: Berend-Jan Wever <skylined@...p.tudelft.nl>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: MSIE src&name property disclosure


On Mon, 8 Nov 2004, Berend-Jan Wever wrote:

> In response to statements found at
> http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html

Yup.

But what amuses me most, is the following bit:

  "Microsoft has begun to investigate the Iframe vulnerability and has not
  been made aware of any program designed to exploit the flaw, the company
  said in an e-mail statement to CNET News.com."

When you posted your first message confirming that the problem is
exploitable, I forwarded it to secure@...rosoft.com, so that they know
they have a problem in case they do not read Full-Disclosure. I got no
response. Later, when you posted a working exploit, I sent them another
forward, including a remark it is probably a good idea to react now, if
they failed to do so before.

In response, I got a mail from "Lennart" of Microsoft Security Response
Center, saying that they are aware of the problem and read mailing lists,
and that my original mail simply got lost in the noise.

Several days later, this statement surfaces in an article, showing beyond
any doubt that they are, quite simply, lying to the public to save face
and gain time.

As much as I am not a rabid Microsoft hater, this pissed me off more than
a bit.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-11-08 15:09 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ