Discovered Security Vunerability in WinXP SP2

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

To All:

I recently discovered a security vulnerability in WinXP SP2 and IE6.
After an EXHAUSTIVE search of the MSKB, I could not find with an article
documenting the security flaw that I discovered.

I was able to duplicate the problem 3 times and the next day at work I
showed it to one of our Windows Sysadmins and we both concluded that I
had indeed discovered an undocumented security flaw in WinXP SP2 and IE6.

My own background, I have been a scientific programmer in Windows,
various UNIX, and (I am really giving away my age here) VAX/VMS
environments for over 15 years. Over the years, with one of our
scientific software vendors, I have discovered a few bugs that got my
name on them.

I know that the public-domain Mozilla Organization has a mechanism in
place for users to report (and I might add, get rewarded) for turning in
newly discovered security vulnerabilities in their public-domain
software.

As I computer professional, how do I let private-sector Microsoft know
that I have discovered an undocumented security vulnerability in WinXP
SP2 and IE6 (especially before a hacker exploits it and causes trouble)?

Thanks,

Steve

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Microsoft Product Feedback
http://register.microsoft.com/mswish/suggestion.asp

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

----------------------------------------------------------------------------

"Steve H" wrote:

| To All:
|
| I recently discovered a security vulnerability in WinXP SP2 and IE6.
| After an EXHAUSTIVE search of the MSKB, I could not find with an article
| documenting the security flaw that I discovered.
|
| I was able to duplicate the problem 3 times and the next day at work I
| showed it to one of our Windows Sysadmins and we both concluded that I
| had indeed discovered an undocumented security flaw in WinXP SP2 and IE6.
|
| My own background, I have been a scientific programmer in Windows,
| various UNIX, and (I am really giving away my age here) VAX/VMS
| environments for over 15 years. Over the years, with one of our
| scientific software vendors, I have discovered a few bugs that got my
| name on them.
|
| I know that the public-domain Mozilla Organization has a mechanism in
| place for users to report (and I might add, get rewarded) for turning in
| newly discovered security vulnerabilities in their public-domain
| software.
|
| As I computer professional, how do I let private-sector Microsoft know
| that I have discovered an undocumented security vulnerability in WinXP
| SP2 and IE6 (especially before a hacker exploits it and causes trouble)?
|
| Thanks,
|
| Steve

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Carey Frisch [MVP] wrote:
> Microsoft Product Feedback
> http://register.microsoft.com/mswish/suggestion.asp
>
Carey:

Thanks for the Re.

Microsoft has got to have a better method than that! You mean that they
do not have a more DIRECT Point Of Contact DEDICATED to reporting
security vulnerabilities? A product feedback form like that could
easily result in VERY important information ending up in the "bit bucket".

I realize the Microsoft is a much bigger operation than the Mozilla
Organization, but one click from the Mozilla home page, I get:

http://www.mozilla.org/security/

Report security-related bugs and learn more about how we secure our
products:

* If you believe that you've found a Mozilla-related security
vulnerability, please report it by sending email to the address
security@mozilla.org. Note that your report may be eligible for a
reward; see below.
* For more information on how to report security vulnerabilities
and how the Mozilla community will respond to such reports, see our
policy for handling security bugs.

Steve

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Carey Frisch [MVP] wrote:
> Microsoft Product Feedback
> http://register.microsoft.com/mswish/suggestion.asp


Steve H wrote:
> Thanks for the Re.
>
> Microsoft has got to have a better method than that! You mean that
> they do not have a more DIRECT Point Of Contact DEDICATED to reporting
> security vulnerabilities? A product feedback form like that could
> easily result in VERY important information ending up in the "bit
> bucket".
> I realize the Microsoft is a much bigger operation than the Mozilla
> Organization, but one click from the Mozilla home page, I get:
>
> http://www.mozilla.org/security/
>
> Report security-related bugs and learn more about how we secure our
> products:
>
> * If you believe that you've found a Mozilla-related security
> vulnerability, please report it by sending email to the address
> security@mozilla.org. Note that your report may be eligible for a
> reward; see below.
> * For more information on how to report security vulnerabilities
> and how the Mozilla community will respond to such reports, see our
> policy for handling security bugs.

Using Microsoft search.. (which should be simpler than finding an unreported
vulnerability):
https://s.microsoft.com/technet/security/bulletin/alertus.aspx

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Shenan Stanley wrote:
> Carey Frisch [MVP] wrote:
>
>>Microsoft Product Feedback
>>http://register.microsoft.com/mswish/suggestion.asp
>
>
>
> Steve H wrote:
>
>>Thanks for the Re.
>>
>>Microsoft has got to have a better method than that! You mean that
>>they do not have a more DIRECT Point Of Contact DEDICATED to reporting
>>security vulnerabilities? A product feedback form like that could
>>easily result in VERY important information ending up in the "bit
>>bucket".
>>I realize the Microsoft is a much bigger operation than the Mozilla
>>Organization, but one click from the Mozilla home page, I get:
>>
>>http://www.mozilla.org/security/
>>
>>Report security-related bugs and learn more about how we secure our
>>products:
>>
>> * If you believe that you've found a Mozilla-related security
>>vulnerability, please report it by sending email to the address
>>security@mozilla.org. Note that your report may be eligible for a
>>reward; see below.
>> * For more information on how to report security vulnerabilities
>>and how the Mozilla community will respond to such reports, see our
>>policy for handling security bugs.
>
>
> Using Microsoft search.. (which should be simpler than finding an unreported
> vulnerability):
> https://s.microsoft.com/technet/security/bulletin/alertus.aspx
>
Shenan

Thanks for the much better Re. It is late at night and I am tired so
tomorrow when I am more awake, I will respond with the detailed info
required for the web page that you sent me.

Steve

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Steve H" <aymes.srh@netcast.com> wrote in message
news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
......
>
> Thanks for the much better Re. It is late at night and I am tired so
> tomorrow when I am more awake, I will respond with the detailed info
> required for the web page that you sent me.
>
> Steve

Steve,

I assume you mean that you will fill the details into the web page at
https://s.microsoft.com/technet/security/bulletin/alertus.aspx
Please do not discuss your potential vulnerability in this pubic newsgroup.
--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Steve H" <aymes.srh@netcast.com> wrote in message
news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
> Shenan Stanley wrote:
>> Carey Frisch [MVP] wrote:
>>
>>>Microsoft Product Feedback
>>>http://register.microsoft.com/mswish/suggestion.asp
>>
>>
>>
>> Steve H wrote:
>>
>>>Thanks for the Re.
>>>
>>>Microsoft has got to have a better method than that! You mean that
>>>they do not have a more DIRECT Point Of Contact DEDICATED to reporting
>>>security vulnerabilities? A product feedback form like that could
>>>easily result in VERY important information ending up in the "bit
>>>bucket".
>>>I realize the Microsoft is a much bigger operation than the Mozilla
>>>Organization, but one click from the Mozilla home page, I get:
>>>
>>>http://www.mozilla.org/security/
>>>
>>>Report security-related bugs and learn more about how we secure our
>>>products:
>>>
>>> * If you believe that you've found a Mozilla-related security
>>>vulnerability, please report it by sending email to the address
>>>security@mozilla.org. Note that your report may be eligible for a
>>>reward; see below.
>>> * For more information on how to report security vulnerabilities
>>>and how the Mozilla community will respond to such reports, see our
>>>policy for handling security bugs.
>>
>>
>> Using Microsoft search.. (which should be simpler than finding an
>> unreported vulnerability):
>> https://s.microsoft.com/technet/security/bulletin/alertus.aspx
>>
> Shenan
>
> Thanks for the much better Re. It is late at night and I am tired so
> tomorrow when I am more awake, I will respond with the detailed info
> required for the web page that you sent me.
>
> Steve

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Mike Brannigan [MSFT] wrote:
> "Steve H" <aymes.srh@netcast.com> wrote in message
> news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
> .....
>
>>Thanks for the much better Re. It is late at night and I am tired so
>>tomorrow when I am more awake, I will respond with the detailed info
>>required for the web page that you sent me.
>>
>>Steve
>
>
> Steve,
>
> I assume you mean that you will fill the details into the web page at
> https://s.microsoft.com/technet/security/bulletin/alertus.aspx
> Please do not discuss your potential vulnerability in this pubic newsgroup.

Mike:

What and let a potential hacker read about this vulnerability on a
public forum before Microsoft can address it!

Steve

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Mike Brannigan [MSFT] wrote:
> "Steve H" <aymes.srh@netcast.com> wrote in message
> news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
> .....
>
>>Thanks for the much better Re. It is late at night and I am tired so
>>tomorrow when I am more awake, I will respond with the detailed info
>>required for the web page that you sent me.
>>
>>Steve
>
>
> Steve,
>
> I assume you mean that you will fill the details into the web page at
> https://s.microsoft.com/technet/security/bulletin/alertus.aspx
> Please do not discuss your potential vulnerability in this pubic newsgroup.

Mike:

What and let a potential hacker read about this vulnerability on a
public forum before Microsoft can address it!

Steve

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Steve,
I have forwarded your post to a MS security unit. I expect they'll contact
you by email.

Ron Chamberlin
MS-MVP

"Steve H" <aymes.srh@netcast.com> wrote in message
news:OWtQuMpAFHA.3336@TK2MSFTNGP11.phx.gbl...
> To All:
>
> I recently discovered a security vulnerability in WinXP SP2 and IE6. After
> an EXHAUSTIVE search of the MSKB, I could not find with an article
> documenting the security flaw that I discovered.
>
> I was able to duplicate the problem 3 times and the next day at work I
> showed it to one of our Windows Sysadmins and we both concluded that I had
> indeed discovered an undocumented security flaw in WinXP SP2 and IE6.
>
> My own background, I have been a scientific programmer in Windows, various
> UNIX, and (I am really giving away my age here) VAX/VMS environments for
> over 15 years. Over the years, with one of our scientific software
> vendors, I have discovered a few bugs that got my name on them.
>
> I know that the public-domain Mozilla Organization has a mechanism in
> place for users to report (and I might add, get rewarded) for turning in
> newly discovered security vulnerabilities in their public-domain software.
>
> As I computer professional, how do I let private-sector Microsoft know
> that I have discovered an undocumented security vulnerability in WinXP SP2
> and IE6 (especially before a hacker exploits it and causes trouble)?
>
> Thanks,
>
> Steve
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ron:

Thanks for the Re. I am not used to top-posting in NG's. My email
address is munged so if you forwarded my post to MS security, then how
will MS contact me?

I reviewed the on-line form at

https://s.microsoft.com/technet/security/bulletin/alertus.aspx

that Mike Brannigan [Microsoft] directed me to.

I had a very hard day at work today, so I was too tired when I got home
to compose a concise description of the security vulnerability to fit
into this form. I have one other important computer-related task at
home that I did not get done today either, so I will try to get the form
completed for MS either Wednesday or Thursday night.

In the meantime, I am silent about the security vulnerability.

Steve

Ron Chamberlin wrote:
> Hi Steve,
> I have forwarded your post to a MS security unit. I expect they'll contact
> you by email.
>
> Ron Chamberlin
> MS-MVP
>
> "Steve H" <aymes.srh@netcast.com> wrote in message
> news:OWtQuMpAFHA.3336@TK2MSFTNGP11.phx.gbl...
>
>>To All:
>>
>>I recently discovered a security vulnerability in WinXP SP2 and IE6. After
>>an EXHAUSTIVE search of the MSKB, I could not find with an article
>>documenting the security flaw that I discovered.
>>
>>I was able to duplicate the problem 3 times and the next day at work I
>>showed it to one of our Windows Sysadmins and we both concluded that I had
>>indeed discovered an undocumented security flaw in WinXP SP2 and IE6.
>>
>>My own background, I have been a scientific programmer in Windows, various
>>UNIX, and (I am really giving away my age here) VAX/VMS environments for
>>over 15 years. Over the years, with one of our scientific software
>>vendors, I have discovered a few bugs that got my name on them.
>>
>>I know that the public-domain Mozilla Organization has a mechanism in
>>place for users to report (and I might add, get rewarded) for turning in
>>newly discovered security vulnerabilities in their public-domain software.
>>
>>As I computer professional, how do I let private-sector Microsoft know
>>that I have discovered an undocumented security vulnerability in WinXP SP2
>>and IE6 (especially before a hacker exploits it and causes trouble)?
>>
>>Thanks,
>>
>>Steve