this is basicly the same response I had from my OWA advisory ...
VI. VENDOR RESPONSE
Microsoft has reviewed the issue and has made the determination that
while a bug fix may be implemented in a future service pack, a security
advisory/patch will not be released for this issue
therefore, in the interest of everones security, iDefense released the
advisory ( as did I ) without a patch being released first.
it is quite possible they ( Microsoft ) are trying to make out like they
were'nt contacted before said advisory was released.... but that is just my
opinion on observation.
my 2 bits,
Donnie Werner
That response was given to me when I reported a DoS vulnerability for Internet
Explorer (which, might I add, required user interaction). It simply meens that
the reported vuln, on a severity scale of 1-10, would pretty much be given a 1.
If I'm not mistaken, your OWA vulnerability just spoofs the From address.
Although some forms of social engineering MIGHT be possible, there is
ultimately no use for something this minor. Think for a second about how much
time and resources, including human labor required to produce the patch as well
as the technology department employees that must install patches on every
computer in large corperations, goes into making a patch. First of all, there's
the whole problem with does the solution break 3rd party software. Also theres
a problem with cross-platform software (they do have stuff for Mac you know).
Another thing they have to worry about is how much money and resources it costs
companies other than Microsoft to apply the patches. When c
ommon people start seeing a lot of patches, they start losing faith in the
software, which is bad for Microsoft. Therefore, the bad outweighs the good
when determining whether to provide a patch for something as insignificant as
your OWA advisory. I am not saying that I don't respect your efforts. I am just
trying to get accross the message that Microsoft is not out to get us. Everyone
thinks of them as this big evil monopolistic empire, but they're not. By the
way, has anyone read Writing Secure Code by some of the guys from Microsoft?
It's pretty interesting, and it offers some insight as to what are considered
critical vulnerabilities and what are considered vulnerabilities with little or
no severity. Believe me when I tell you (as I have had 1 on 1 conversations
with many security vip's at Microsoft Campus) that Microsoft is doing
everything that they can to ensure you a safe, enjoyable experience while using
their software.
Btw, Mr. Werner, you seem to be among the common group of anti-Microsoft
individuals. May I ask what the vendor of your operating system is? What about
your browser? Maybe even your word processor or html editor? Uh-huh, that's
what I though.
Regards,
Paul
Greyhats Security
http://greyhatsecurity.org
P.S. I do NOT work for Microsoft. I was merely invited to visit their campus
and meet some of their people. Very nice bunch of folks they are. We went out
to dinner on a couple occasions and had a good time.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
