Next Page >>
MSRC
9. *Report Timeline*
. 2008-10-08:
Core Security Technologies notifies the Microsoft Security Response
Center (MSRC) that a vulnerability has been found in Internet Explorer
(IE). Core sends a draft security advisory with technical details and
PoC files and announces its initial plan to publish the advisory on
December 1st, 2008.
. 2008-10-09:
Core Security Technologies sends the Microsoft team the information
requested. The vulnerability was triggered on Virtual PC SP1 with and
without HAV, using a Windows XP SP2 guest OS over a Windows XP SP3 host OS.
. 2009-09-08:
MSRC acknowledges Core email.
. 2009-09-08:
Vendor says that it is still investigating the bug and will have more
concrete details in a few days.
8. *Technical Description / Proof of Concept Code*
8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value
leads to attacker controlled pointer usage [MSRC 9368]*
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and
Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr
(recType 0xF003) containers that allows an attacker to cause a class
pointer to be interpreted incorrectly, leading to code execution in the
8. *Report Timeline*
. 2010-05-28:
Initial notification to the vendor. Draft advisory and proof-of-concept
files sent to MSRC. Publication date set for July 13, 2010.
. 2010-06-11:
Core requests from the vendor an update on the status of this case.
. 2010-06-14:
Core Security Technologies notified Microsoft of the dynamic OBJECT tag
vulnerability. Draft advisory sent with publication date scheduled for
September 8, 2009.
. 2009-08-12:
Microsoft's MSRC acknowledged the bug report and opened a new case.
. 2009-08-31:
Core asks for an update and reminds MSRC that September 8 2009 is the
planned public disclosure date.
9. *Report Timeline*
. 2011-02-03:
Core Security Technologies notifies the MSRC of the vulnerability,
setting the estimated publication date of the advisory to March 1st, 2011.
. 2011-02-04:
MSRC notifies that the case 10985 was opened to track this issue and a
case manager will get in contact shortly.
CVE: CVE-2009-1926
________________________________________________________________________
Vendor communication:
09.12.2008 Initial notification sent to MSRC
10.12.2008 Response from MSRC case manager - The report is
being investigated.
23.12.2008 Recurity Labs would like to know whether MSRC
9. *Report Timeline*
. 2010-06-28:
Initial notification sent to MSRC, including proof-of-concept code to
reproduce it. Publication date set to August 10, 2010.
. 2010-06-29:
MSRC acknowledges bug report. Case 10135 opened.
Response timeline
-----------------
11/11/2009: Issue discovered.
23/11/2009: Microsoft Security Response Center (MSRC) notified.
23/11/2009: MSRC acknowledges receipt of advisory.
27/11/2009: MSRC confirms the issue on XP and Server 2003.
11/12/2009: MSRC confirms issue across all platforms (2000 SP4 - Windows 7)
11/12/2009: Patch release date agreed as 12/01/2010.
05/01/2010: MSRC delays the patch to 09/02/2010.
You commented that Microsoft needs to address a communication problem.
It's irrelevant to the full disclosure issue in my mind.
I'd honestly like to know if there is a break down in communication at
the MSRC that needs to be addressed. It appears there is one?
Tavis Ormandy wrote:
> Susan, this is what is called "full disclosure", and my response was
> relevant.
9. *Report Timeline*
. 2010-04-16:
Initial notification to the vendor. Draft advisory and proof-of-concept
files sent to MSRC. Publication date set for May 10, 2010.
. 2010-04-19:
MSRC responds that case 9975cw has been opened.
. 2010-04-27:
From: Piergiorgio Venuti [mailto:piergiorgio@gigasec.org]
Sent: Saturday, November 15, 2008 5:34 AM
To: Giuseppe Gottardi
Cc: dante@alighieri.org; bugtraq@securityfocus.com;
full-disclosure@lists.grok.org.uk; secure@microsoft.com; Martin Suess
Subject: Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]
Hi all,
also I've found this vulnerability 1 year ago during a pt and work fine
with url obfuscation. I've read that with owa 2007 this vulnerability is
Thanks, Tavis.
On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote:
> I'm not asking about disclosure. I'm asking what happened to the level
> of communication between you and MSRC that after 4 days you posted this?
>
> Tavis Ormandy wrote:
> >Susan, I wish I had the time to hold your hand through getting up to
> >speed on the disclosure debate. Instead, I would suggest starting with
> >the links in my advisory which were intended to give you enough
I'm not asking about disclosure. I'm asking what happened to the level
of communication between you and MSRC that after 4 days you posted this?
Tavis Ormandy wrote:
> Susan, I wish I had the time to hold your hand through getting up to
> speed on the disclosure debate. Instead, I would suggest starting with
> the links in my advisory which were intended to give you enough
> background to understand the issues involved (skip to the Notes section,
> if you like).
>
>>>
>>> Tue, 10 Apr 2007 15:40:13 +0200
>>>
>>> You read exactly, April 2007, 1 year and 6 months ago. :(
>>>
>>> The Microsoft Security Response Center opened the case ID MSRC 7368br.
>>>
>>> The bug has never been patched since 1 year and 6 months.
>>> I asked time to time for updates but they always answered me that the
>>> bug had to be patched with the next Service Pack and they did not have
>>> any ETA.
>
> Tue, 10 Apr 2007 15:40:13 +0200
>
> You read exactly, April 2007, 1 year and 6 months ago. :(
>
> The Microsoft Security Response Center opened the case ID MSRC 7368br.
>
> The bug has never been patched since 1 year and 6 months.
> I asked time to time for updates but they always answered me that the
> bug had to be patched with the next Service Pack and they did not have
> any ETA.
Tue, 10 Apr 2007 15:40:13 +0200
You read exactly, April 2007, 1 year and 6 months ago. :(
The Microsoft Security Response Center opened the case ID MSRC 7368br.
The bug has never been patched since 1 year and 6 months.
I asked time to time for updates but they always answered me that the
bug had to be patched with the next Service Pack and they did not have
any ETA.
From: "Davide Del Vecchio" <dante@alighieri.org>
To: <bugtraq@securityfocus.com>; <full-disclosure@lists.grok.org.uk>;
<secure@microsoft.com>
Sent: Friday, October 17, 2008 12:07 PM
Subject: Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability -
[MSRC7368br]
> Hi,
>
> I found and notified this vulnerability to Microsoft in date:
I'm not an enterprise customer, but I am a mouthy female. So here's my
question back to you, for my education, how exactly did MSRC contact you
back?
Since June 5th have you tried emailing back or any of your contacts from
past interactions and asked what was up? I'm disappointed in this lack
of communication I see on both sides. You are ...well... Tavis
Ormandy... I seriously doubt MSRC is blowing you off here.
Keep in mind we just had a LARGE patch week to deal with. I don't know
leads to Windows Calendar to a crash (after the remainder is set).
Windows Calendar crashes every each time Vista is rebooted. The
vulnerability stems from NULL pointer dereference and has been
confirmed on fully updated Windows Vista. Successful at
MSRC has been informed and confirmed the situation. Both, Eleytt
and MSRC consider this issue of low impact.
Thanks, Tavis.
On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
> I'm not an enterprise customer, but I am a mouthy female. So here's my
> question back to you, for my education, how exactly did MSRC contact you
> back?
>
> Since June 5th have you tried emailing back or any of your contacts from
> past interactions and asked what was up? I'm disappointed in this lack
> of communication I see on both sides. You are ...well... Tavis
>>
>> Tue, 10 Apr 2007 15:40:13 +0200
>>
>> You read exactly, April 2007, 1 year and 6 months ago. :(
>>
>> The Microsoft Security Response Center opened the case ID MSRC 7368br.
>>
>> The bug has never been patched since 1 year and 6 months.
>> I asked time to time for updates but they always answered me that the
>> bug had to be patched with the next Service Pack and they did not have
>> any ETA.
. 2010-02-24:
Microsoft informs Core that they ran into some issues with this update,
and requests a conference call to discuss options.
. 2010-02-25:
Conference call between Core and MSRC. Microsoft informs Core that fixes
for Movie Maker are ready to be released, but that the release of a new
version of Producer (alongside the release of Office 2010) has been
postponed from March 9th to an unspecified date. Microsoft requests that
Core postpones the publication of its advisory to an unspecified date,
in order to coordinate the release of fixes for Movie Maker and the
cross_fuzz may be known to third parties - which makes getting this tool
out a priority. ***
== VENDOR RESPONSE / STATUS ==
* Internet Explorer: MSRC notified in July 2010. Fuzzer observed to trigger
several exploitable crashes - e.g.:
http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt
...ad well as some security-relevant GDI corruption issues.
> > > StenoPlasma (at) ExploitDevelopment.com
> > >
> > > TIMELINE:
> > > Discovery: July 1, 2010
> > > Vendor Notified: August 8, 2010
> > > Vendor Dismissed: August 10, 2010 (MSRC says that there is nothing to
> > > investigate because the action can only happen after a compromise.
> > > This vulnerabilities deals with continued access without using DLL
> > > injection or Rootkits)
> > > Vendor Fixed: N/A
> > > Vendor Notified of Disclosure: October 26, 2010
> > StenoPlasma (at) ExploitDevelopment.com
> >
> > TIMELINE:
> > Discovery: July 1, 2010
> > Vendor Notified: August 8, 2010
> > Vendor Dismissed: August 10, 2010 (MSRC says that there is nothing to
> > investigate because the action can only happen after a compromise.
> > This vulnerabilities deals with continued access without using DLL
> > injection or Rootkits)
> > Vendor Fixed: N/A
> > Vendor Notified of Disclosure: October 26, 2010
> displayed
> in either case), not actually preventing anyone from (gracefully)
> shutting
> down the system without logging in.
>
> I reported this to the MSRC on 6/25/2008 and their stance was that this
> wasn't a security vulnerability, but was likely a bug, and was passed
> directly to the product team to investigate through their normal bug
> triage
> process. After some back and forth, there was silence, and I let them
> know I
StenoPlasma (at) ExploitDevelopment.com
TIMELINE:
Discovery: July 1, 2010
Vendor Notified: August 8, 2010
Vendor Dismissed: August 10, 2010 (MSRC says that there is nothing to
investigate because the action can only happen after a compromise.
This vulnerabilities deals with continued access without using DLL
injection or Rootkits)
Vendor Fixed: N/A
Vendor Notified of Disclosure: October 26, 2010
Core says that its analysis coincides with the vendor's and therefore
it will treat the issue as a new vulnerability assigning
CORE-2010-0623 to the corresponding security advisory. The discoverer
estimated that the issue is very likely to be exploitable. Publication
is tentatively scheduled for July 13th, 2010 but may be postponed
based on a firm commitment from MSRC and indication that the fix is
lined up for testing. Core mentions that it is very likely that
vulnerability research vendors have already found this issue and quite
possible that exploits are already being developed. Should the
information become public by a third-party Core will promptly publish
its security advisory and notify the vendor.
:Further communication:
March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format.
March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack.
March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format.
March 30, 2009: We asked if Microsoft had received our PoC.
Next Page>>
|
