This is the address you are looking for: https://cert.microsoft.com
Op 14 dec. 2013, om 06:03 heeft Pedro Luis Karrasquillo <[email protected]> het volgende geschreven: > Ok. > Connect.microsoft.com is not accepting Server 2k8 DNS bugs, and I did not > find a specific place in TechNet to report either. Felt like going in circles > between MS Contact Us page and the connect.microsoft.com. > Maybe you are right, I may lack a certain level of patience... > Went ahead and started a chat session with MS support. It went like this: > ------------------------- > > General Info > Chat start time Dec 13, 2013 11:34:07 PM EST > Chat end time Dec 13, 2013 11:46:23 PM EST > Duration (actual chatting time) 00:12:15 > Operator Germaine > > Chat Transcript > info: Please wait for an agent to respond. You are currently '1' in the > queue. > info: Privacy Statement > You are now chatting with 'Germaine'. > Germaine: Thank you for contacting Microsoft Customer Service chat. This chat > service is designed to assist you with site navigation, technical support > case submission, and customer service questions. > Germaine: If you need technical support, I can provide you with your support > options or help you submit your case to the appropriate support professional > who can work with you to resolve your issue. > Germaine: How may I help you, Pedro? > pedro: are you a human? > Germaine: Yes, I am. How can I help you? > pedro: i want to submit a bug report for Windows Server 2008 R2 DNS server > pedro: it has a flaw > Germaine: You have 2 options: > Germaine: Either you submit it through our Microsoft Technet Forums or > Connect.microsoft.com. > pedro: connect.micro is not accepting bugs for 2008 > pedro: and technet has nowhere to submit bugs either. already checked. > pedro: unless it is out of the way.. I am a security researcher. I plan to > disclose. > Germaine: Let me check my resources. > Germaine: Reporting a bug, Pedro, can be through U.S. Mail, Support Incident > and Product Feedback Tool. > Germaine: For U.S Mail, mail your report to Attn: Development Group , > Microsoft Corporation, One Microsoft Way, Redmond, WA 98052. > Germaine: To use Support Incident, if you have a subscription with technical > benefits, you may submit a case and our Support Professional will take a look > at it. > Germaine: For Product Feedback Tool, you may visi Windows Server 2008 R2 > Product Support page and provide a feedback. > Germaine: You may reach our Support professional by following this link: > Germaine: Submit an Incident - Online Assisted Support > pedro: i do not have a subscription, sorry. > Germaine: Well, you can do the other two options: U.S. Mail & Product > Feedback Tool. > pedro: I may have to just publish. I hate to see Windows DNS servers being > used for DDoS attacks so easly, you know? With it being an easy fix and all. > pedro: Thank you, Germaine. > Germaine: You're welcome, Pedro. > Germaine: If there's nothing else, I will close this session now. > Germaine: Thank you for using Microsoft Customer Service chat. > Germaine: Have a good one, Pedro! > ---------------------- > > I read all of the responses to this thread so far and I appreciate all your > opinions. > After the chat with MS rep, I feel like disclosing. For one, the bug is not a > huge deal, just annoying that your server can be used to help in DDoS someone > so easily, and two, MS did not seem interested in bugs for last gen products. > > Date: Sat, 14 Dec 2013 02:52:33 +0000 > Subject: Re: [Full-disclosure] <b>Where are you guys standing re: the (full) > disclosure question?</b> > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected] > > Q: 1. should I tell MS first? > A: Microsoft is just a big company - there are good guys(my good friend was > there), and there are bad guys(who think too much about money, etc). So, it's > up to you whether you email secure@ms. Another factor: it can take months for > a bug to be fixed(first MSRC checks it, then product team fixes it, then > release - all steps take a lot of time). Guninski "give them a few seconds" - > if you want to work with Microsoft, you got to be a little patient. > > Q: 2. being this is possibly my first bug as a researcher, will this get me > into trouble (legal or otherwise)? > A: No, publishing before fix will not get you into trouble. Guninski "if they > sue you" - they won't sue you(Guninski did it before on Microsoft products, > and he is fine). > > Q: 3. will this make me a rock star? > A: Ah, this depends on the impact. > > __________ > http://offlinechromeinstaller.com/ > > > > On Fri, Dec 13, 2013 at 3:08 PM, Georgi Guninski <[email protected]> > wrote: > On Thu, Dec 12, 2013 at 10:02:55PM -0400, Pedro Luis Karrasquillo wrote: > > Humans, Dwarves, Elves, Fairies and all free folk on this list: > > > > Meli Kalikimaka. > > > > I think I found a relatively small bug with Windows Server running DNS with > > recursion turned off, that still allows the server to be used for DDOS > > amplification attacks. There are a sizable number of these on the net, and > > I do not think operators realize that the server is not totally silent with > > recursion turned off. > > I want to put my findings here on the list, as well as on my blog but I am > > unsure if : > > > > 1. should I tell MS first? > > if you ask me definitely no. > or at most give them a few seconds. > > > 2. being this is possibly my first bug as a researcher, will this get me > > into trouble (legal or otherwise)? > > if they sue you, I suppose this will make you a star for some time. > > IANAL, so take care. > > > 3. will this make me a rock star? > > > > I have details on the bug, as well as remediation steps. I would not say I > > "discovered" it per se, as I found it while studying an attack on a network > > I protect, but I do not see it documented anywhere either. > > > > What say you, Wise List Readers? > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
