Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
On 4/27/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > they have pubbed theire contact some days ago: [EMAIL PROTECTED] I tried the form, and then later sent email directly to the contact address above. Within minutes of sending email I received a form letter response with a problem ID, and then a few minutes later received a second message citing the same problem ID and including the information from my original web form submission. This suggests that both contact methods are functional and likely go to the same queue. Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
they have pubbed theire contact some days ago: [EMAIL PROTECTED] Gary O'leary-Steele a écrit : Hi, Im also trying to report a vulnerability to Microsoft but the site they provide is broken when i fill out and send https://www.microsoft.com/technet/security/bulletin/alertus.aspx I get: We’re sorry, but we were unable to service your request. You may wish to choose from the links below for information about Microsoft products and services. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Sent: 27 April 2005 00:11 To: Microsoft Security Response Center Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft On a related note, today we ran into (headfirst) a bug in Internet Explorer with the processing of a AutoProxy scripts (Proxy Automatic Configuration aka "PAC", a specialized subset of javascript to make client-side web proxy routing decisions). Eventually I isolated the problem to a broken implementation of dnsDomainIs() in Internet Explorer, so I decided to do the right thing and report the bug to Microsoft. This isn't a higly critical security flaw, so I hunted around microsoft.com and eventually found the page on bug reporting: http://support.microsoft.com/gp/contactbug The page states "If you think you have found a bug in a Microsoft product, contact our Microsoft Product Support Services department. (800) MICROSOFT (642-7676)". No email address, no web form, just a phone number. So I call this number, and after five minutes of sitting through IVR menus, I finally reach a live human. She asks for my name and phone number, and as soon as I mention that I am reporting a bug in Internet Explorer, says she will transfer my call. At that point I get fifteen seconds of music on hold, followed by dead air. That was a half hour ago. Kevin Kadow (P.S. Yes, this is definitely a bug in MSIE -- every other browser I've tried handles dnsDomainIs() correctly, the sole exception is MSIE). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
Hi, Im also trying to report a vulnerability to Microsoft but the site they provide is broken when i fill out and send https://www.microsoft.com/technet/security/bulletin/alertus.aspx I get: Were sorry, but we were unable to service your request. You may wish to choose from the links below for information about Microsoft products and services. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Sent: 27 April 2005 00:11 To: Microsoft Security Response Center Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft On a related note, today we ran into (headfirst) a bug in Internet Explorer with the processing of a AutoProxy scripts (Proxy Automatic Configuration aka "PAC", a specialized subset of javascript to make client-side web proxy routing decisions). Eventually I isolated the problem to a broken implementation of dnsDomainIs() in Internet Explorer, so I decided to do the right thing and report the bug to Microsoft. This isn't a higly critical security flaw, so I hunted around microsoft.com and eventually found the page on bug reporting: http://support.microsoft.com/gp/contactbug The page states "If you think you have found a bug in a Microsoft product, contact our Microsoft Product Support Services department. (800) MICROSOFT (642-7676)". No email address, no web form, just a phone number. So I call this number, and after five minutes of sitting through IVR menus, I finally reach a live human. She asks for my name and phone number, and as soon as I mention that I am reporting a bug in Internet Explorer, says she will transfer my call. At that point I get fifteen seconds of music on hold, followed by dead air. That was a half hour ago. Kevin Kadow (P.S. Yes, this is definitely a bug in MSIE -- every other browser I've tried handles dnsDomainIs() correctly, the sole exception is MSIE). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
;) Key Id on pict and on site is same. So? Andrew Farmer wrote: On 12 Apr 2005, at 00:21, Ag. System Administrator wrote: I suppose you believe the signature on this message too, then. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
On 12 Apr 2005, at 00:21, Ag. System Administrator wrote: I suppose you believe the signature on this message too, then. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
> -Original Message- > From: Ag. System Administrator [mailto:[EMAIL PROTECTED] > Sent: 11 April 2005 16:36 > To: Airey, John > Cc: Full-Disclosure > Subject: Re: [Full-disclosure] How to Report a Security > Vulnerability toMicrosoft > > > > Airey, John wrote: > >>-Original Message- > >>From: [EMAIL PROTECTED] > >>[mailto:[EMAIL PROTECTED] On Behalf Of > >>Microsoft Security Response Center > >>Sent: 08 April 2005 20:21 > >>To: bugtraq@securityfocus.com; > >>[EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk > >>Subject: [Full-disclosure] How to Report a Security Vulnerability > >>toMicrosoft > >> > >>-BEGIN PGP SIGNED MESSAGE- > >>Hash: SHA1 > >> > >>Hello! > >> > >>The Microsoft Security Response Center investigates all reports of > >>security vulnerabilities sent to us that affect Microsoft products. > >>If you believe you have found a security vulnerability affecting a > >>Microsoft product, we would like to work with you to investigate it. > >> > >>We are concerned that people might not know the best way to report > >>security vulnerabilities to Microsoft. You can contact the > Microsoft > >>Security Response Center to report a vulnerability by emailing > >>[EMAIL PROTECTED] directly, or you can submit your > report via our > >>web-based vulnerability reporting form located at: > >>https://www.microsoft.com/technet/security/bulletin/alertus.aspx. > >> > >>Sincerely, > >>Microsoft Security Response Center > > > > [snip] > > > > Unless there's something wrong at my end (I hope not), this message > > doesn't appear to have been signed with the key at > > http://www.microsoft.com/technet/Security/bulletin/pgp.mspx. > > > > Am I right or not? > > > not. > > Key Id: 0xAA55BC66 / Signed on: 04/08/2005 10:17 PM > > It's them... That's the key id on the web page, but the key id of the key on that page says 0x0B2E5E2D. It has fingerprint E561 2A79 6439 13E4 430B 92F0 2732 52F1 and never expires. Can anyone else confirm this? -- John Airey, BSc (Jt Hons), CNE, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I'm cycling the 2005 Etape du Tour in France to raise vital funds for RNIB, if you'd like to sponsor me, visit http://justgiving.com/rnibetape. "A man cannot consider himself educated unless he has read the Bible" - Abraham Lincoln -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
Airey, John wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Microsoft Security Response Center Sent: 08 April 2005 20:21 To: bugtraq@securityfocus.com; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! The Microsoft Security Response Center investigates all reports of security vulnerabilities sent to us that affect Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we would like to work with you to investigate it. We are concerned that people might not know the best way to report security vulnerabilities to Microsoft. You can contact the Microsoft Security Response Center to report a vulnerability by emailing [EMAIL PROTECTED] directly, or you can submit your report via our web-based vulnerability reporting form located at: https://www.microsoft.com/technet/security/bulletin/alertus.aspx. Sincerely, Microsoft Security Response Center [snip] Unless there's something wrong at my end (I hope not), this message doesn't appear to have been signed with the key at http://www.microsoft.com/technet/Security/bulletin/pgp.mspx. Am I right or not? not. Key Id: 0xAA55BC66 / Signed on: 04/08/2005 10:17 PM It's them... Have fun, Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Microsoft Security Response Center > Sent: 08 April 2005 20:21 > To: bugtraq@securityfocus.com; > [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] How to Report a Security > Vulnerability toMicrosoft > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello! > > The Microsoft Security Response Center investigates all > reports of security vulnerabilities sent to us that affect > Microsoft products. > If you believe you have found a security vulnerability > affecting a Microsoft product, we would like to work with you > to investigate it. > > We are concerned that people might not know the best way to > report security vulnerabilities to Microsoft. You can contact > the Microsoft Security Response Center to report a > vulnerability by emailing [EMAIL PROTECTED] directly, or > you can submit your report via our web-based vulnerability > reporting form located at: > https://www.microsoft.com/technet/security/bulletin/alertus.aspx. > > Sincerely, > Microsoft Security Response Center [snip] Unless there's something wrong at my end (I hope not), this message doesn't appear to have been signed with the key at http://www.microsoft.com/technet/Security/bulletin/pgp.mspx. Am I right or not? -- John Airey, BSc (Jt Hons), CNE, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I'm cycling the 2005 Etape du Tour in France to raise vital funds for RNIB, if you'd like to sponsor me, visit http://justgiving.com/rnibetape. "A man cannot consider himself educated unless he has read the Bible" - Abraham Lincoln -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
> this is basicly the same response I had from my OWA advisory ... > > >VI. VENDOR RESPONSE > > > >Microsoft has reviewed the issue and has made the determination that > >while a bug fix may be implemented in a future service pack, a security > >advisory/patch will not be released for this issue > > therefore, in the interest of everones security, iDefense released the > advisory ( as did I ) without a patch being released first. > it is quite possible they ( Microsoft ) are trying to make out like they > were'nt contacted before said advisory was released but that is just my > opinion on observation. > > my 2 bits, > > Donnie Werner > That response was given to me when I reported a DoS vulnerability for Internet Explorer (which, might I add, required user interaction). It simply meens that the reported vuln, on a severity scale of 1-10, would pretty much be given a 1. If I'm not mistaken, your OWA vulnerability just spoofs the From address. Although some forms of social engineering MIGHT be possible, there is ultimately no use for something this minor. Think for a second about how much time and resources, including human labor required to produce the patch as well as the technology department employees that must install patches on every computer in large corperations, goes into making a patch. First of all, there's the whole problem with does the solution break 3rd party software. Also theres a problem with cross-platform software (they do have stuff for Mac you know). Another thing they have to worry about is how much money and resources it costs companies other than Microsoft to apply the patches. When c ommon people start seeing a lot of patches, they start losing faith in the software, which is bad for Microsoft. Therefore, the bad outweighs the good when determining whether to provide a patch for something as insignificant as your OWA advisory. I am not saying that I don't respect your efforts. I am just trying to get accross the message that Microsoft is not out to get us. Everyone thinks of them as this big evil monopolistic empire, but they're not. By the way, has anyone read Writing Secure Code by some of the guys from Microsoft? It's pretty interesting, and it offers some insight as to what are considered critical vulnerabilities and what are considered vulnerabilities with little or no severity. Believe me when I tell you (as I have had 1 on 1 conversations with many security vip's at Microsoft Campus) that Microsoft is doing everything that they can to ensure you a safe, enjoyable experience while using their software. Btw, Mr. Werner, you seem to be among the common group of anti-Microsoft individuals. May I ask what the vendor of your operating system is? What about your browser? Maybe even your word processor or html editor? Uh-huh, that's what I though. Regards, Paul Greyhats Security http://greyhatsecurity.org P.S. I do NOT work for Microsoft. I was merely invited to visit their campus and meet some of their people. Very nice bunch of folks they are. We went out to dinner on a couple occasions and had a good time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
I for one say this is a step in the right direction. Shows they want to work with us. Randall M "If we ever forget that we're one nation under God, then we will be a nation gone under." - Ronald Reagan _ :-Original Message- :From: [EMAIL PROTECTED] :[mailto:[EMAIL PROTECTED] On Behalf :Of Microsoft Security Response Center :Sent: Friday, April 08, 2005 2:21 PM :To: bugtraq@securityfocus.com; :[EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk :Subject: [Full-disclosure] How to Report a Security :Vulnerability toMicrosoft : :-BEGIN PGP SIGNED MESSAGE- :Hash: SHA1 : :Hello! : :The Microsoft Security Response Center investigates all :reports of security vulnerabilities sent to us that affect :Microsoft products. :If you believe you have found a security vulnerability :affecting a Microsoft product, we would like to work with you :to investigate it. : :We are concerned that people might not know the best way to :report security vulnerabilities to Microsoft. You can contact :the Microsoft Security Response Center to report a :vulnerability by emailing [EMAIL PROTECTED] directly, or :you can submit your report via our web-based vulnerability :reporting form located at: :https://www.microsoft.com/technet/security/bulletin/alertus.aspx. : :Sincerely, :Microsoft Security Response Center : :-BEGIN PGP SIGNATURE- :Version: PGP 8.1 : :iQIVAwUBQlbY4oreEgaqVbxmAQK5yhAAkm+H1/V69L5iLILNuSUSsgnd4Tw5Lzwj :uyhigxfdJR9WYXSNg/7WCoMI77G6No8QvKOfkrXqbyv6SYcR5ZVDWYzeE3+jgje+ :AfqWT9r0du8Wj7q+Qby/j61OaezQkGoX/WRM+KV/RAhSVgXybcUMmdyeBNY9TiBg :ixlCuE75VndS0vMwkf8rzGaW/YXzMveLEXKGyYhkkZEDZ+Q2NZeFwxsXUEfw8yCL :nUYm6D9KAz5ekhRNtv22eoTXfTrXOfdziEAGGB1J6hKowEgeTaKcRPuTadz4A8YB :gGzJPN3J6t1Au1IHRsgfnVou9INFtahHA5B1NbfKyHGLsoztYKqXxLo4u7Z/b2+a :Vj8yiZNmaFD1IPzPnb4LS4RBZSgPMcwaB6pbXt7Y9n/g8VmrkqouDEdprHlMltoS :JpqYpnTdZtsxaGg6wimaFv7CocdV4CKAuOpVdjvlezc6jUYLQ/H/LzgDFDekTXZv :TNJ7qzRl4GFKt2fK7+7m60x3VukWNy3JGQSxgOX7mkftfglrHzyOL6AtDwhf2ff4 :uNVbWek9bTgpVvmmpxnFGu/h5hLp5/Hqe98lv2axlbEFLP1ZD00rNPPSLCxRY/xL :8DGokeQT2Oc1HysO2jo7kpFjW4mCTTh9qK1lh0ju7gGQa66SMJ9woT2V6sSsOwpS :LO3tKPf9GIQ= :=kT17 :-END PGP SIGNATURE- :___ :Full-Disclosure - We believe in it. :Charter: http://lists.grok.org.uk/full-disclosure-charter.html :Hosted and sponsored by Secunia - http://secunia.com/ : ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
> On Fri, Apr 08, 2005 at 12:21:05PM -0700, Microsoft Security Response Center wrote: > > If you believe you have found a security vulnerability affecting a > > Microsoft product, we would like to work with you to investigate it. > > > > hahahahahaha > > m$ doing social engineering on fd, this is a joke. this is basicly the same response I had from my OWA advisory ... >VI. VENDOR RESPONSE > >Microsoft has reviewed the issue and has made the determination that >while a bug fix may be implemented in a future service pack, a security >advisory/patch will not be released for this issue therefore, in the interest of everones security, iDefense released the advisory ( as did I ) without a patch being released first. it is quite possible they ( Microsoft ) are trying to make out like they were'nt contacted before said advisory was released but that is just my opinion on observation. my 2 bits, Donnie Werner ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
Georgi Guninski wrote: > basically they want your 0days > so billg becomes more rich. Aloha, Georgi. If only it were a simple business motive, everyone could dismiss it as such. The real motive is more sinister. Microsoft wants to perpetuate the misperception that secrecy makes people safer. You and I and much of FD know this is not true, and anyone who has been in business for any length of time knows that if we could only disclose our secrets without having our lives destroyed as a result, we could prove beyond any doubt that business is the most harmful force of destruction that exists today. We all go on with our daily lives believing that our neighbor won't harm themselves by disclosing their secrets, so we don't disclose ours. It is a perpetual stalemate. Business depends on secrets for viability. Without business, governments collapse and the World enters War Version 3. Coincidence that Microsoft gets everything right on the third try? Microsoft is attempting nothing short of social engineering to spread the worldwide belief that business stability equals safety for all. Microsoft has grown influential enough that they now care deeply about world stability. They depend on it for profit growth, in fact. The fact is, a world war is far more likely when secrets become compulsory. When good people become afraid to speak the truth, war is guaranteed. Microsoft won't believe this until it is too late. Therefore, good people must stand up now and speak the truth. MICROSOFT: STOP THE WAR! NO MORE SECRETS! Regards, and best wishes, Jason Coombs [EMAIL PROTECTED] -Original Message- From: Georgi Guninski <[EMAIL PROTECTED]> Date: Fri, 8 Apr 2005 23:17:08 To:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft On Fri, Apr 08, 2005 at 12:21:05PM -0700, Microsoft Security Response Center wrote: > If you believe you have found a security vulnerability affecting a > Microsoft product, we would like to work with you to investigate it. > hahahahahaha m$ doing social engineering on fd, this is a joke. basically they want your 0days so billg becomes more rich. -- where do you want bill gates to go today? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/