[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] How to Report a Security VulnerabilitytoMicrosoft

To: tuytumadre@xxxxxxx
To: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] How to Report a Security VulnerabilitytoMicrosoft
From: "Jason Coombs" <jasonc@xxxxxxxxxxx>
Date: Mon, 11 Apr 2005 07:40:04 +0000 GMT

Paul (greyhatsecurity.org) wrote:
> We went out to dinner on a couple
> occasions and had a good time

Wow, Paul. You sell your soul for a couple of mouthfuls of food?

No way is Microsoft to be trusted just because there are a bunch of 
potentially-good people doing technical work in the trenches. They are called 
'pawns' and the abuse and exploitation of those people is legendary.

I say 'potentially' good because any one of them could, at any moment, quit 
Microsoft and by so doing prove themselves dedicated to creating a better 
future for everyone, even when it means a little personal hardship to do so.

The question that matters is who are the executives of Microsoft, and what are 
they doing today?

You may have temporarily forgotten that the executives at Microsoft have done 
terrible things that have harmed every person on Earth. Fortunately, the rest 
of us haven't.

Microsoft must know how to pick a nice bottle of wine.

Regards,

Jason Coombs
jasonc@xxxxxxxxxxx

-----Original Message-----
From: tuytumadre@xxxxxxx
Date: Mon, 11 Apr 2005 07:22:47 
To:"Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Cc:full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] How to Report a Security Vulnerability
        toMicrosoft

> this is basicly the same response I had from my OWA advisory ... 
> 
> >VI. VENDOR RESPONSE 
> > 
> >Microsoft has reviewed the issue and has made the determination that 
> >while a bug fix may be implemented in a future service pack, a security 
> >advisory/patch will not be released for this issue 
> 
> therefore, in the interest of everones security, iDefense released the 
> advisory ( as did I ) without a patch being released first. 
> it is quite possible they ( Microsoft ) are trying to make out like they 
> were'nt contacted before said advisory was released.... but that is just my 
> opinion on observation. 
> 
> my 2 bits, 
> 
> Donnie Werner 
> 

That response was given to me when I reported a DoS vulnerability for Internet 
Explorer (which, might I add, required user interaction). It simply meens that 
the reported vuln, on a severity scale of 1-10, would pretty much be given a 1. 
If I'm not mistaken, your OWA vulnerability just spoofs the From address. 
Although some forms of social engineering MIGHT be possible, there is 
ultimately no use for something this minor. Think for a second about how much 
time and resources, including human labor required to produce the patch as well 
as the technology department employees that must install patches on every 
computer in large corperations, goes into making a patch. First of all, there's 
the whole problem with does the solution break 3rd party software. Also theres 
a problem with cross-platform software (they do have stuff for Mac you know). 
Another thing they have to worry about is how much money and resources it costs 
companies other than Microsoft to apply the patches. When c
 ommon people start seeing a lot of patches, they start losing faith in the 
software, which is bad for Microsoft. Therefore, the bad outweighs the good 
when determining whether to provide a patch for something as insignificant as 
your OWA advisory. I am not saying that I don't respect your efforts. I am just 
trying to get accross the message that Microsoft is not out to get us. Everyone 
thinks of them as this big evil monopolistic empire, but they're not. By the 
way, has anyone read Writing Secure Code by some of the guys from Microsoft? 
It's pretty interesting, and it offers some insight as to what are considered 
critical vulnerabilities and what are considered vulnerabilities with little or 
no severity. Believe me when I tell you (as I have had 1 on 1 conversations 
with many security vip's at Microsoft Campus) that Microsoft is doing 
everything that they can to ensure you a safe, enjoyable experience while using 
their software.

Btw, Mr. Werner, you seem to be among the common group of anti-Microsoft 
individuals. May I ask what the vendor of your operating system is? What about 
your browser? Maybe even your word processor or html editor? Uh-huh, that's 
what I though.

Regards,
Paul
Greyhats Security
http://greyhatsecurity.org

P.S. I do NOT work for Microsoft. I was merely invited to visit their campus 
and meet some of their people. Very nice bunch of folks they are. We went out 
to dinner on a couple occasions and had a good time.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re:[Full-disclosure] How to Report a Security VulnerabilitytoMicrosoft
  - From: Thomas Zangl - Mobil

Prev by Date: [Full-disclosure] UPDATE was RE: [NT] Microsoft Multiple E-Mail Client AddressSpoofing Vulnerability
Next by Date: [Full-disclosure] [USN-110-1] Linux kernel vulnerabilities
Previous by thread: [Full-disclosure] off topic - owasp logo
Next by thread: Re:[Full-disclosure] How to Report a Security VulnerabilitytoMicrosoft
Index(es):
- Date
- Thread