Re: [Full-Disclosure] MSIE src&name property disclosure

From: Michal Zalewski (lcamtuf_at_ghettot.org)
Date: 11/08/04

  • Next message: Berend-Jan Wever: "MSIE src&name property disclosure"
    Date: Mon, 8 Nov 2004 15:13:57 +0100 (CET)
    To: Berend-Jan Wever <skylined@edup.tudelft.nl>
    
    

    On Mon, 8 Nov 2004, Berend-Jan Wever wrote:

    > In response to statements found at
    > http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html

    Yup.

    But what amuses me most, is the following bit:

      "Microsoft has begun to investigate the Iframe vulnerability and has not
      been made aware of any program designed to exploit the flaw, the company
      said in an e-mail statement to CNET News.com."

    When you posted your first message confirming that the problem is
    exploitable, I forwarded it to secure@microsoft.com, so that they know
    they have a problem in case they do not read Full-Disclosure. I got no
    response. Later, when you posted a working exploit, I sent them another
    forward, including a remark it is probably a good idea to react now, if
    they failed to do so before.

    In response, I got a mail from "Lennart" of Microsoft Security Response
    Center, saying that they are aware of the problem and read mailing lists,
    and that my original mail simply got lost in the noise.

    Several days later, this statement surfaces in an article, showing beyond
    any doubt that they are, quite simply, lying to the public to save face
    and gain time.

    As much as I am not a rabid Microsoft hater, this pissed me off more than
    a bit.

    -- 
    ------------------------- bash$ :(){ :|:&};: --
     Michal Zalewski * [http://lcamtuf.coredump.cx]
        Did you know that clones never use mirrors?
    --------------------------- 2004-11-08 15:09 --
       http://lcamtuf.coredump.cx/photo/current/
    

  • Next message: Berend-Jan Wever: "MSIE src&name property disclosure"