I noticed that you made no mention of informing or attempting to work with
the vendor on this issue. So I have forwarded this message to
secure@microsoft.com which is the email address one would use if they
choose to work with a vendor.
VulnWatch has never attempted to impose any type of disclosure policy on
anyone that uses this list. That being said, I do want to go on the
record of stating that much like the companies that will purchase your
bugs, VulnWatch will gladly help any researcher or casual IT Security
enthusiast with the researching and disclosure process of any potential
security vulnerability or bug. Unlike the companies that purchase your
bugs, VulnWatch is a free resource for the IT Security Community so we
offer no payment other than you get full credit for the find -- unless you
wish to remain anonymous. Note that we have offered this service long
before anyone has offered to pay you "beer money" for a bug.
As a refresher, here is how it works.
1.) You find a bug or potential bug but want help researching it.
- email mod at vulnwatch.org we will help you research the
issue,
help you work with the vendor and insure that you get full credit. Or, if
you prefer to remain anonymous you can do that as well.
2.) You find a bug and need help working with the vendor
- email mod at vulnwatch.org and we will help you with that.
Or, if you prefer, just drop your zero day with no vendor notification to
vulnwatch@vulnwatch.org. Either way we don't lose sleep but for the
record I think all of the moderators of VulnWatch prefer a more
responsible disclosure.
Not flaming or critisizing you or anyone -- I just wanted to offer up the
brains at VulnWatch to anyone that may need future help.
Cheers;
Steve Manzuik
Moderator - VulnWatch.Org
-----------------------------Original message-------------------
From: ad@class101.org [mailto:ad@class101.org]
Sent: Tue 11/1/2005 10:01 AM
To: vulnwatch@vulnwatch.org
Subject: [VulnDiscuss] new IE bug (confirmed on ALL windows)
I think I have found by chance this weekend a security bug,while browsing
the website news, within iexplorer on all windows versions.
I haven't enough knowledge (and don't want) into web browsers security to
conduct a full investigation, at least,
I took the source of the webpage and with a simple split method on the
html
code, it's now reduce to some line of html code and a .css file to trigger
the bug.
And by the way the crash looks like to happen each time now instead of
sometimes while browsing the affected website.
http://class101.org/IEcrash.htm (ONLINE test)
http://class101.org/IEcrash.rar (OFFLINE package)
my tests(updated to 01 Nov. 2005):
Windows NT4 Workstation SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -CRASH-
Windows NT4 Server SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -CRASH-
Windows 2k Workstation SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -CRASH-
Windows 2k Server SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -CRASH-
Windows XP Professional SP1 ENGLISH 64-bit (IE32-6.0.3790.1830) -CRASH-
Windows XP Professional SP1 ENGLISH 64-bit (IE64-6.0.3790.1830) -CRASH-
Windows XP Professional SP2 ENGLISH 32-bit (IE32-6.0.2900.2180) -CRASH-
Windows XP Professional SP1 ENGLISH 32-bit (IE32-6.0.2900.1106) -CRASH-
Windows 2k3 Server Std SP1 ENGLISH 32-bit (IE32-6.0.3790.1830) -CRASH-
(silently exiting, no crash box...)
