Re: Microsoft Warns of New Windows Flaw (March 19, 2003 )
From: Bill Blanton (bblanton@REMOVEmagicnet.net)
From: "Bill Blanton" <bblanton@REMOVEmagicnet.net> Date: Sat, 22 Mar 2003 19:47:17 GMT
"FromTheRafters" <!email@example.com> wrote in message news:firstname.lastname@example.org...
> > In a fit of excitement on Thu, 20 Mar 2003 16:37:40 GMT, The Other
> > Guy <email@example.com> managed to scribble:
> > > http://www.eweek.com/article2/0,3959,941455,00.asp
> > > March 19, 2003
> > > Microsoft Warns of New Windows Flaw
> > >
> > > Microsoft Corp. has released a patch for a critical vulnerability
> > > in every version of Windows from 98 forward.
> > > The flaw lies in the Windows Script Engine for Jscript, which
> > > enables the operating system to execute script code.
> It seems they don't take it seriously until someone shoves a written
> exploit code in their face. Is that what happened here?
According to http://marc.theaimsgroup.com/?l=bugtraq&m=104812108307645&w=2
they were made aware in July of '02 and again in Jan '03.
It took some 8 months from the original contact, and 2 months from the
more "official contact" (and by the looks of it..some pestering) to release
VIII. DISCLOSURE TIMELINE
07/07/2002 Microsoft initially notified
12/07/2002 Issue disclosed to iDEFENSE
01/09/2003 iDEFENSE notification sent to Microsoft (firstname.lastname@example.org)
01/10/2003 Response received from email@example.com
01/10/2003 iDEFENSE clients notified
01/11/2003 to 03/18/2003 No less than eight e-mails requesting status reports on patch status
03/19/2003 Public disclosure
Roland Postle ( [snip] ) discovered this vulnerability.