Discovered Security Vunerability in WinXP SP2

[Steve H]

To All:

I recently discovered a security vulnerability in WinXP SP2 and IE6.
After an EXHAUSTIVE search of the MSKB, I could not find with an article
documenting the security flaw that I discovered.

I was able to duplicate the problem 3 times and the next day at work I
showed it to one of our Windows Sysadmins and we both concluded that I
had indeed discovered an undocumented security flaw in WinXP SP2 and IE6.

My own background, I have been a scientific programmer in Windows,
various UNIX, and (I am really giving away my age here) VAX/VMS
environments for over 15 years. Over the years, with one of our
scientific software vendors, I have discovered a few bugs that got my
name on them.

I know that the public-domain Mozilla Organization has a mechanism in
place for users to report (and I might add, get rewarded) for turning in
newly discovered security vulnerabilities in their public-domain
software.

As I computer professional, how do I let private-sector Microsoft know
that I have discovered an undocumented security vulnerability in WinXP
SP2 and IE6 (especially before a hacker exploits it and causes trouble)?

Thanks,

Steve

 

[Carey Frisch [MVP]]

Microsoft Product Feedback
http://register.microsoft.com/mswish/suggestion.asp

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

----------------------------------------------------------------------------

:

| To All:
|
| I recently discovered a security vulnerability in WinXP SP2 and IE6.
| After an EXHAUSTIVE search of the MSKB, I could not find with an article
| documenting the security flaw that I discovered.
|
| I was able to duplicate the problem 3 times and the next day at work I
| showed it to one of our Windows Sysadmins and we both concluded that I
| had indeed discovered an undocumented security flaw in WinXP SP2 and IE6.
|
| My own background, I have been a scientific programmer in Windows,
| various UNIX, and (I am really giving away my age here) VAX/VMS
| environments for over 15 years. Over the years, with one of our
| scientific software vendors, I have discovered a few bugs that got my
| name on them.
|
| I know that the public-domain Mozilla Organization has a mechanism in
| place for users to report (and I might add, get rewarded) for turning in
| newly discovered security vulnerabilities in their public-domain
| software.
|
| As I computer professional, how do I let private-sector Microsoft know
| that I have discovered an undocumented security vulnerability in WinXP
| SP2 and IE6 (especially before a hacker exploits it and causes trouble)?
|
| Thanks,
|
| Steve

 

[Steve H]

Microsoft Product Feedback
http://register.microsoft.com/mswish/suggestion.asp

Carey:

Thanks for the Re.

Microsoft has got to have a better method than that! You mean that they
do not have a more DIRECT Point Of Contact DEDICATED to reporting
security vulnerabilities? A product feedback form like that could
easily result in VERY important information ending up in the "bit bucket".

I realize the Microsoft is a much bigger operation than the Mozilla
Organization, but one click from the Mozilla home page, I get:

http://www.mozilla.org/security/

Report security-related bugs and learn more about how we secure our
products:

* If you believe that you've found a Mozilla-related security
vulnerability, please report it by sending email to the address
(e-mail address removed). Note that your report may be eligible for a
reward; see below.
* For more information on how to report security vulnerabilities
and how the Mozilla community will respond to such reports, see our
policy for handling security bugs.

Steve

 

[Shenan Stanley]

Microsoft Product Feedback
http://register.microsoft.com/mswish/suggestion.asp

Thanks for the Re.

Microsoft has got to have a better method than that! You mean that
they do not have a more DIRECT Point Of Contact DEDICATED to reporting
security vulnerabilities? A product feedback form like that could
easily result in VERY important information ending up in the "bit
bucket".
I realize the Microsoft is a much bigger operation than the Mozilla
Organization, but one click from the Mozilla home page, I get:

http://www.mozilla.org/security/

Report security-related bugs and learn more about how we secure our
products:

* If you believe that you've found a Mozilla-related security
vulnerability, please report it by sending email to the address
(e-mail address removed). Note that your report may be eligible for a
reward; see below.
* For more information on how to report security vulnerabilities
and how the Mozilla community will respond to such reports, see our
policy for handling security bugs.

Using Microsoft search.. (which should be simpler than finding an unreported
vulnerability):
https://s.microsoft.com/technet/security/bulletin/alertus.aspx

 

[Steve H]

Using Microsoft search.. (which should be simpler than finding an unreported
vulnerability):
https://s.microsoft.com/technet/security/bulletin/alertus.aspx

Shenan

Thanks for the much better Re. It is late at night and I am tired so
tomorrow when I am more awake, I will respond with the detailed info
required for the web page that you sent me.

Steve

 

[Mike Brannigan [MSFT]]

......

Thanks for the much better Re. It is late at night and I am tired so
tomorrow when I am more awake, I will respond with the detailed info
required for the web page that you sent me.

Steve

Steve,

I assume you mean that you will fill the details into the web page at
https://s.microsoft.com/technet/security/bulletin/alertus.aspx
Please do not discuss your potential vulnerability in this pubic newsgroup.
--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Steve H]

.....



Steve,

I assume you mean that you will fill the details into the web page at
https://s.microsoft.com/technet/security/bulletin/alertus.aspx
Please do not discuss your potential vulnerability in this pubic newsgroup.

Mike:

What and let a potential hacker read about this vulnerability on a
public forum before Microsoft can address it!

Steve

 

[Steve H]

.....



Steve,

I assume you mean that you will fill the details into the web page at
https://s.microsoft.com/technet/security/bulletin/alertus.aspx
Please do not discuss your potential vulnerability in this pubic newsgroup.

Mike:

What and let a potential hacker read about this vulnerability on a
public forum before Microsoft can address it!

Steve

 

[Ron Chamberlin]

Hi Steve,
I have forwarded your post to a MS security unit. I expect they'll contact
you by email.

Ron Chamberlin
MS-MVP

 

[Steve H]

Ron:

Thanks for the Re. I am not used to top-posting in NG's. My email
address is munged so if you forwarded my post to MS security, then how
will MS contact me?

I reviewed the on-line form at

https://s.microsoft.com/technet/security/bulletin/alertus.aspx

that Mike Brannigan [Microsoft] directed me to.

I had a very hard day at work today, so I was too tired when I got home
to compose a concise description of the security vulnerability to fit
into this form. I have one other important computer-related task at
home that I did not get done today either, so I will try to get the form
completed for MS either Wednesday or Thursday night.

In the meantime, I am silent about the security vulnerability.

Steve