> V. VENDOR RESPONSE > > * Microsoft was informed of this vulnerability on October 20, 2005. > > * As part of its December patch cycle, Microsoft issued the incomplete > MS05-054 patch which plugged a specific instance of this issue that had > been previously reported by Secunia. > > * MS05-054 does indeed provide minimal protection against subversion > of the download prompting feature, but makes no attempt to secure other > potential risk points. > > * Contact with some members of the MSRC continued from the October > report beyond this point, but contact from the assigned investigator > did not take place until February 15, 2006. > > * At that point in time, I was told that the vulnerability had been > classed as a "Service Pack" fix, meaning that users of Windows 2000 will > not receive a fix for this vulnerability. > > * Further, the MSRC disputed my assessment that the vulnerability was > at all similar to CVE-2005-2289 (the File Download vulnerability patched > by MS05-054). > > * Shortly after that decision, I informed MSRC that its assessment was > incorrect and also that I had tentatively planned to disclose on April > 24. > > * MSRC could not provide me with a compelling justification for its > choice of release timeframe. In a rather threatening e-mail, I was > finally asked for exploit code, as well as justification of "why this > issue is so important". > > * After about an hour of work to actually write it, I provided the code > to MSRC two days later on March 24. > > * There is no further contact from MSRC following this point. > > MSRC, for its troubles, got a two day reprieve because I was not yet > prepared to disclose. So, I've (coincidentally) disclosed this issue in > keeping with Michal Zalewski's informal "Bug Wednesday and Patch > Saturday" policy. My experience with MSRC shows that Zalewski's strong > objections to the generally-adversarial nature of the MSRC process and > its lack of constructive results (particularly when Internet Explorer > is involved) are well-founded. Simply put, don't shoot the messenger > when your vendor and its patch processes are the problem most in need > of a solution.
Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is exactly what I need to make the Securityfocus homepage exciting again. -R http://360.yahoo.com/robert.lemos _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
