Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux

from [Robert Lemos] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux
Date: Thu, 27 Apr 2006 01:22:53 +0100 
V. VENDOR RESPONSE

* Microsoft was informed of this vulnerability on October 20, 2005.

* As part of its December patch cycle, Microsoft issued the incomplete
MS05-054 patch which plugged a specific instance of this issue that had
been previously reported by Secunia.

* MS05-054 does indeed provide minimal protection against subversion
of the download prompting feature, but makes no attempt to secure other
potential risk points.

* Contact with some members of the MSRC continued from the October
report beyond this point, but contact from the assigned investigator
did not take place until February 15, 2006.

* At that point in time, I was told that the vulnerability had been
classed as a "Service Pack" fix, meaning that users of Windows 2000 will
not receive a fix for this vulnerability.

* Further, the MSRC disputed my assessment that the vulnerability was
at all similar to CVE-2005-2289 (the File Download vulnerability patched
by MS05-054).

* Shortly after that decision, I informed MSRC that its assessment was
incorrect and also that I had tentatively planned to disclose on April
24.

* MSRC could not provide me with a compelling justification for its
choice of release timeframe.  In a rather threatening e-mail, I was
finally asked for exploit code, as well as justification of "why this
issue is so important".

* After about an hour of work to actually write it, I provided the code
to MSRC two days later on March 24.

* There is no further contact from MSRC following this point.

MSRC, for its troubles, got a two day reprieve because I was not yet
prepared to disclose.  So, I've (coincidentally) disclosed this issue in
keeping with Michal Zalewski's informal "Bug Wednesday and Patch
Saturday" policy.  My experience with MSRC shows that Zalewski's strong
objections to the generally-adversarial nature of the MSRC process and
its lack of constructive results (particularly when Internet Explorer
is involved) are well-founded.  Simply put, don't shoot the messenger
when your vendor and its patch processes are the problem most in need
of a solution.


Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is
exactly what I need to make the Securityfocus homepage exciting again.

-R
http://360.yahoo.com/robert.lemos

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Interesting but vulnerable scheme for tokenless auth, Glenn Everhart
Next by Date:  Re: [Full-disclosure] n3td3v outsmarts Google, n3td3v
Previous by Thread:  [Full-disclosure] Internet Explorer User Interface Races, Redeux, Matthew Murphy
Next by Thread:  Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux, Matthew Murphy
Indexes:  [Date] [Thread] [Top] [All Lists]