Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux


* Microsoft was informed of this vulnerability on October 20, 2005.

* As part of its December patch cycle, Microsoft issued the incomplete
MS05-054 patch which plugged a specific instance of this issue that had
been previously reported by Secunia.

* MS05-054 does indeed provide minimal protection against subversion
of the download prompting feature, but makes no attempt to secure other
potential risk points.

* Contact with some members of the MSRC continued from the October
report beyond this point, but contact from the assigned investigator
did not take place until February 15, 2006.

* At that point in time, I was told that the vulnerability had been
classed as a "Service Pack" fix, meaning that users of Windows 2000 will
not receive a fix for this vulnerability.

* Further, the MSRC disputed my assessment that the vulnerability was
at all similar to CVE-2005-2289 (the File Download vulnerability patched
by MS05-054).

* Shortly after that decision, I informed MSRC that its assessment was
incorrect and also that I had tentatively planned to disclose on April

* MSRC could not provide me with a compelling justification for its
choice of release timeframe. In a rather threatening e-mail, I was
finally asked for exploit code, as well as justification of "why this
issue is so important".

* After about an hour of work to actually write it, I provided the code
to MSRC two days later on March 24.

* There is no further contact from MSRC following this point.

MSRC, for its troubles, got a two day reprieve because I was not yet
prepared to disclose. So, I've (coincidentally) disclosed this issue in
keeping with Michal Zalewski's informal "Bug Wednesday and Patch
Saturday" policy. My experience with MSRC shows that Zalewski's strong
objections to the generally-adversarial nature of the MSRC process and
its lack of constructive results (particularly when Internet Explorer
is involved) are well-founded. Simply put, don't shoot the messenger
when your vendor and its patch processes are the problem most in need
of a solution.

Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is
exactly what I need to make the Securityfocus homepage exciting again.


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -