Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux



V. VENDOR RESPONSE

* Microsoft was informed of this vulnerability on October 20, 2005.

* As part of its December patch cycle, Microsoft issued the incomplete
MS05-054 patch which plugged a specific instance of this issue that had
been previously reported by Secunia.

* MS05-054 does indeed provide minimal protection against subversion
of the download prompting feature, but makes no attempt to secure other
potential risk points.

* Contact with some members of the MSRC continued from the October
report beyond this point, but contact from the assigned investigator
did not take place until February 15, 2006.

* At that point in time, I was told that the vulnerability had been
classed as a "Service Pack" fix, meaning that users of Windows 2000 will
not receive a fix for this vulnerability.

* Further, the MSRC disputed my assessment that the vulnerability was
at all similar to CVE-2005-2289 (the File Download vulnerability patched
by MS05-054).

* Shortly after that decision, I informed MSRC that its assessment was
incorrect and also that I had tentatively planned to disclose on April
24.

* MSRC could not provide me with a compelling justification for its
choice of release timeframe. In a rather threatening e-mail, I was
finally asked for exploit code, as well as justification of "why this
issue is so important".

* After about an hour of work to actually write it, I provided the code
to MSRC two days later on March 24.

* There is no further contact from MSRC following this point.

MSRC, for its troubles, got a two day reprieve because I was not yet
prepared to disclose. So, I've (coincidentally) disclosed this issue in
keeping with Michal Zalewski's informal "Bug Wednesday and Patch
Saturday" policy. My experience with MSRC shows that Zalewski's strong
objections to the generally-adversarial nature of the MSRC process and
its lack of constructive results (particularly when Internet Explorer
is involved) are well-founded. Simply put, don't shoot the messenger
when your vendor and its patch processes are the problem most in need
of a solution.

Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is
exactly what I need to make the Securityfocus homepage exciting again.

-R
http://360.yahoo.com/robert.lemos

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Download.ject - commentary - LONG
    ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
    (microsoft.public.win2000.security)
  • Vulnerability Details for MS02-012
    ... Microsoft released a patch for a denial of service ... vulnerability in the Windows 2000 SMTP component. ... This bug affects all Windows 2000 systems running the SMTP service that have ...
    (Bugtraq)
  • Microsoft Security Bulletin MS01-044
    ... Subject: Microsoft Security Bulletin MS01-044 ... 15 August 2001 Cumulative Patch for IIS ... - A denial of service vulnerability that could enable an attacker ...
    (Bugtraq)
  • [NT] 15 August 2001 Cumulative Patch for IIS
    ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...
    (Securiteam)
  • McAfee ePolicy Orchestrator Format String Vulnerability (a031703-1)
    ... ePolicy Orchestrator Format String Vulnerability ... on the host they wish to compromise. ... The vendor has made a patch available. ...
    (Bugtraq)