Bernhard Mueller wrote:
Mr. Zalewski's statement about the undue burden that Microsoft's
investigative processes place on the researcher is indeed accurate. The
only time I've had any success working with Microsoft was when the issue
was a straightforward code execution scenario. Oh wait... even then,
I'm blown off.
the same here... when I mailed them about that COM-vulnerability in IE,
they came up with "this is not exploitable, bla.." after two weeks of
internal research
and all. having a bad morning anyway, I decided to post the advisory and
see, one day later there's a MS security advisory that "a COM object may
crash internet explorer" (however, they forgot to mention the public
bindshell exploit released by the fsirt).
now recently MS05-37 came out, which somehow doesn't include any credits
or mention of the original advisory whatsoever (the reason for that
being, i presume, the lack of responsibility showed by us).
I think it's rather strange to hear a billion-dollar software monopolist
apply to my conscience like "look what you've done, you put our
customers at risk". they wouldn't give a lame cent on the security of
their customers if there wasn't a certain media hype about security.
they care for their image and stock index, and that's about it. and i
don't see why should be held responsible for that ;)
regards,
sk0L
I think it all boils down to how black of an eye they want to give
themselves. If and when its a clean code execution, they have to say it
is because you and I all know that when the exploit is published it
makes then look even worse. In a way, I am kind of dealing with this
same scenario.
-- Tom
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
