Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux

On 4/27/06, Antczak, Ed <Ed.Antczak@xxxxxxx> wrote:
Thanks for the email header lesson.
Basics, or complex analysis is part of what makes postings worth

Yes, he's young, immature. He -is- releasing to the script kiddie
community of FD legitimate Microsoft product vulnerabilities, which
everyone is greatful. However, the blantant targeting of the media
(Robert Lemos) via his "VENDOR RESPONSE" paragraphs will decrease his
mad hax0r points credibility in the underground and also the
professional circuit. Yes, he's a genius, yes hes great, but drop the
media audience target of your advisories and you won't have the likes
of n3td3v ID's running amock on your legitimate Microsoft advisories.
As for the showing off of "look I understand e-mail headers" thing,
that wasn't even needed, all everyone had to do was look at the link,
and you would know it was a Robert Lemos look alike. And if you had
been paying attention Matty boy, you would have seen it wasn't the
first time the Robert Lemos look a like had appeared. And the previous
Look a like post actually acknowledged it as such. Ha! then your
immaturity ran further by saying, "as if Robert Lemos would have a
Yahoo accout. Hehe, his Yahoo account is "robert_lemos" but if you had
read the Robert Lemos Fan Club Blog, you would have seen the post I
made about it. As for you "being a contact" knowing his e-mail
address. Thats laughable. I've been emailing him from for years and
i.ming him on Yahoo Messenger for years. So muchf or your "inside
knowledge" of how to contact Robert Lemos, ha ha ha.

You're a clever guy (Matty) but theres elements of your advisories you
need to touch up, like the artificial creation of Microsoft Security
Response Center drama, whcih you're hopeful the media will pick up on!
No one gives a shit if one college student thinks Microsoft's
disclosure to patch tuesday cycle is too slow for your liking. You
report the vulnerability to Microsoft, and then its out of your hands.
Microsoft can sit on the vulnerability for years if they so choose to
do so, its not the position of the bug finder to infulence and change
corporate security policies and never will be. Yes, sure Microsoft
take months to tell the public about a vulnerability you report, so
what, who gives a shit,a nd why should you? Unless your primary goal
isn't to research Microsoft product vulnerabilities and alert them to
a flaw, and really, you're just after the world stage of Microsoft
announing a flaw to everyone via their website, just so you can get
off for five minutes of fame. Its not about the media, its not about
fame, its not about everyone knowing what a great guy you are, its
about alerting a vendor in private of an issue, and moving on. Why
care if Microsoft release a patch? You told them about it, its the
most you can do, they decide when to release a patch or tell the
public about it, via their own strategies, it will always be out of
the control of the bug finder. I was like you once, I used to cream at
Google and Yahoo for not patching something, but then once I spoke to
the guys involved, I realised, its not about security, its about
choosing a good time to bury bad news, and of course, the queuing
system of whose flaw gets more attention first is down to money, and
the risk to profit, not how critical the bug finder decides the
vulnerability is, but security professionals, deciding on priority on
the basis of what makes business sense, not on the basis of what makes
sense to a bug finder, who is wetting his pants at the opportunity to
get acknowledged in public, by one of the biggest software makers in
the world.

Regards, n3td3v

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
  • SecurityFocus Microsoft Newsletter #83
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
  • SecurityFocus Microsoft Newsletter #81
    ... MICROSOFT VULNERABILITY SUMMARY ... WWWIsis Remote Command Execution Vulnerability ... Windows NT 4.0 Print Spooler Security ...
  • SecurityFocus Microsoft Newsletter #185
    ... NEW MICROSOFT VULNERABILITIES - Audit Your Network Security ... SurgeLDAP User.CGI Directory Traversal Vulnerability ... Microsoft Windows H.323 Remote Buffer Overflow Vulnerability ... Microsoft Jet Database Engine Remote Code Execution Vulnerab... ...
  • SecurityFocus Microsoft Newsletter #336
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Unspecified Remote Code Execution Vulnerability ... Microsoft Windows Explorer BMP Image Denial of Service Vulnerability ... An attacker could leverage this issue to have arbitrary code execute with kernel level privileges. ...