Discovered Security Vunerability in WinXP SP2

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

To All:

I recently discovered a security vulnerability in WinXP SP2 and IE6.
After an EXHAUSTIVE search of the MSKB, I could not find with an article
documenting the security flaw that I discovered.

I was able to duplicate the problem 3 times and the next day at work I
showed it to one of our Windows Sysadmins and we both concluded that I
had indeed discovered an undocumented security flaw in WinXP SP2 and IE6.

My own background, I have been a scientific programmer in Windows,
various UNIX, and (I am really giving away my age here) VAX/VMS
environments for over 15 years. Over the years, with one of our
scientific software vendors, I have discovered a few bugs that got my
name on them.

I know that the public-domain Mozilla Organization has a mechanism in
place for users to report (and I might add, get rewarded) for turning in
newly discovered security vulnerabilities in their public-domain
software.

As I computer professional, how do I let private-sector Microsoft know
that I have discovered an undocumented security vulnerability in WinXP
SP2 and IE6 (especially before a hacker exploits it and causes trouble)?

Thanks,

Steve
9 answers Last reply
More about discovered security vunerability winxp
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Microsoft Product Feedback
    http://register.microsoft.com/mswish/suggestion.asp

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User

    Be Smart! Protect Your PC!
    http://www.microsoft.com/athome/security/protect/default.aspx

    ----------------------------------------------------------------------------

    "Steve H" wrote:

    | To All:
    |
    | I recently discovered a security vulnerability in WinXP SP2 and IE6.
    | After an EXHAUSTIVE search of the MSKB, I could not find with an article
    | documenting the security flaw that I discovered.
    |
    | I was able to duplicate the problem 3 times and the next day at work I
    | showed it to one of our Windows Sysadmins and we both concluded that I
    | had indeed discovered an undocumented security flaw in WinXP SP2 and IE6.
    |
    | My own background, I have been a scientific programmer in Windows,
    | various UNIX, and (I am really giving away my age here) VAX/VMS
    | environments for over 15 years. Over the years, with one of our
    | scientific software vendors, I have discovered a few bugs that got my
    | name on them.
    |
    | I know that the public-domain Mozilla Organization has a mechanism in
    | place for users to report (and I might add, get rewarded) for turning in
    | newly discovered security vulnerabilities in their public-domain
    | software.
    |
    | As I computer professional, how do I let private-sector Microsoft know
    | that I have discovered an undocumented security vulnerability in WinXP
    | SP2 and IE6 (especially before a hacker exploits it and causes trouble)?
    |
    | Thanks,
    |
    | Steve
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Carey Frisch [MVP] wrote:
    > Microsoft Product Feedback
    > http://register.microsoft.com/mswish/suggestion.asp
    >
    Carey:

    Thanks for the Re.

    Microsoft has got to have a better method than that! You mean that they
    do not have a more DIRECT Point Of Contact DEDICATED to reporting
    security vulnerabilities? A product feedback form like that could
    easily result in VERY important information ending up in the "bit bucket".

    I realize the Microsoft is a much bigger operation than the Mozilla
    Organization, but one click from the Mozilla home page, I get:

    http://www.mozilla.org/security/

    Report security-related bugs and learn more about how we secure our
    products:

    * If you believe that you've found a Mozilla-related security
    vulnerability, please report it by sending email to the address
    security@mozilla.org. Note that your report may be eligible for a
    reward; see below.
    * For more information on how to report security vulnerabilities
    and how the Mozilla community will respond to such reports, see our
    policy for handling security bugs.

    Steve
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Carey Frisch [MVP] wrote:
    > Microsoft Product Feedback
    > http://register.microsoft.com/mswish/suggestion.asp


    Steve H wrote:
    > Thanks for the Re.
    >
    > Microsoft has got to have a better method than that! You mean that
    > they do not have a more DIRECT Point Of Contact DEDICATED to reporting
    > security vulnerabilities? A product feedback form like that could
    > easily result in VERY important information ending up in the "bit
    > bucket".
    > I realize the Microsoft is a much bigger operation than the Mozilla
    > Organization, but one click from the Mozilla home page, I get:
    >
    > http://www.mozilla.org/security/
    >
    > Report security-related bugs and learn more about how we secure our
    > products:
    >
    > * If you believe that you've found a Mozilla-related security
    > vulnerability, please report it by sending email to the address
    > security@mozilla.org. Note that your report may be eligible for a
    > reward; see below.
    > * For more information on how to report security vulnerabilities
    > and how the Mozilla community will respond to such reports, see our
    > policy for handling security bugs.

    Using Microsoft search.. (which should be simpler than finding an unreported
    vulnerability):
    https://s.microsoft.com/technet/security/bulletin/alertus.aspx

    --
    <- Shenan ->
    --
    The information is provided "as is", it is suggested you research for
    yourself before you take any advice - you are the one ultimately
    responsible for your actions/problems/solutions. Know what you are
    getting into before you jump in with both feet.
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Shenan Stanley wrote:
    > Carey Frisch [MVP] wrote:
    >
    >>Microsoft Product Feedback
    >>http://register.microsoft.com/mswish/suggestion.asp
    >
    >
    >
    > Steve H wrote:
    >
    >>Thanks for the Re.
    >>
    >>Microsoft has got to have a better method than that! You mean that
    >>they do not have a more DIRECT Point Of Contact DEDICATED to reporting
    >>security vulnerabilities? A product feedback form like that could
    >>easily result in VERY important information ending up in the "bit
    >>bucket".
    >>I realize the Microsoft is a much bigger operation than the Mozilla
    >>Organization, but one click from the Mozilla home page, I get:
    >>
    >>http://www.mozilla.org/security/
    >>
    >>Report security-related bugs and learn more about how we secure our
    >>products:
    >>
    >> * If you believe that you've found a Mozilla-related security
    >>vulnerability, please report it by sending email to the address
    >>security@mozilla.org. Note that your report may be eligible for a
    >>reward; see below.
    >> * For more information on how to report security vulnerabilities
    >>and how the Mozilla community will respond to such reports, see our
    >>policy for handling security bugs.
    >
    >
    > Using Microsoft search.. (which should be simpler than finding an unreported
    > vulnerability):
    > https://s.microsoft.com/technet/security/bulletin/alertus.aspx
    >
    Shenan

    Thanks for the much better Re. It is late at night and I am tired so
    tomorrow when I am more awake, I will respond with the detailed info
    required for the web page that you sent me.

    Steve
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Steve H" <aymes.srh@netcast.com> wrote in message
    news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
    ......
    >
    > Thanks for the much better Re. It is late at night and I am tired so
    > tomorrow when I am more awake, I will respond with the detailed info
    > required for the web page that you sent me.
    >
    > Steve

    Steve,

    I assume you mean that you will fill the details into the web page at
    https://s.microsoft.com/technet/security/bulletin/alertus.aspx
    Please do not discuss your potential vulnerability in this pubic newsgroup.
    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "Steve H" <aymes.srh@netcast.com> wrote in message
    news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
    > Shenan Stanley wrote:
    >> Carey Frisch [MVP] wrote:
    >>
    >>>Microsoft Product Feedback
    >>>http://register.microsoft.com/mswish/suggestion.asp
    >>
    >>
    >>
    >> Steve H wrote:
    >>
    >>>Thanks for the Re.
    >>>
    >>>Microsoft has got to have a better method than that! You mean that
    >>>they do not have a more DIRECT Point Of Contact DEDICATED to reporting
    >>>security vulnerabilities? A product feedback form like that could
    >>>easily result in VERY important information ending up in the "bit
    >>>bucket".
    >>>I realize the Microsoft is a much bigger operation than the Mozilla
    >>>Organization, but one click from the Mozilla home page, I get:
    >>>
    >>>http://www.mozilla.org/security/
    >>>
    >>>Report security-related bugs and learn more about how we secure our
    >>>products:
    >>>
    >>> * If you believe that you've found a Mozilla-related security
    >>>vulnerability, please report it by sending email to the address
    >>>security@mozilla.org. Note that your report may be eligible for a
    >>>reward; see below.
    >>> * For more information on how to report security vulnerabilities
    >>>and how the Mozilla community will respond to such reports, see our
    >>>policy for handling security bugs.
    >>
    >>
    >> Using Microsoft search.. (which should be simpler than finding an
    >> unreported vulnerability):
    >> https://s.microsoft.com/technet/security/bulletin/alertus.aspx
    >>
    > Shenan
    >
    > Thanks for the much better Re. It is late at night and I am tired so
    > tomorrow when I am more awake, I will respond with the detailed info
    > required for the web page that you sent me.
    >
    > Steve
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Mike Brannigan [MSFT] wrote:
    > "Steve H" <aymes.srh@netcast.com> wrote in message
    > news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
    > .....
    >
    >>Thanks for the much better Re. It is late at night and I am tired so
    >>tomorrow when I am more awake, I will respond with the detailed info
    >>required for the web page that you sent me.
    >>
    >>Steve
    >
    >
    > Steve,
    >
    > I assume you mean that you will fill the details into the web page at
    > https://s.microsoft.com/technet/security/bulletin/alertus.aspx
    > Please do not discuss your potential vulnerability in this pubic newsgroup.

    Mike:

    What and let a potential hacker read about this vulnerability on a
    public forum before Microsoft can address it!

    Steve
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Mike Brannigan [MSFT] wrote:
    > "Steve H" <aymes.srh@netcast.com> wrote in message
    > news:ejmuoXqAFHA.3236@TK2MSFTNGP15.phx.gbl...
    > .....
    >
    >>Thanks for the much better Re. It is late at night and I am tired so
    >>tomorrow when I am more awake, I will respond with the detailed info
    >>required for the web page that you sent me.
    >>
    >>Steve
    >
    >
    > Steve,
    >
    > I assume you mean that you will fill the details into the web page at
    > https://s.microsoft.com/technet/security/bulletin/alertus.aspx
    > Please do not discuss your potential vulnerability in this pubic newsgroup.

    Mike:

    What and let a potential hacker read about this vulnerability on a
    public forum before Microsoft can address it!

    Steve
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi Steve,
    I have forwarded your post to a MS security unit. I expect they'll contact
    you by email.

    Ron Chamberlin
    MS-MVP

    "Steve H" <aymes.srh@netcast.com> wrote in message
    news:OWtQuMpAFHA.3336@TK2MSFTNGP11.phx.gbl...
    > To All:
    >
    > I recently discovered a security vulnerability in WinXP SP2 and IE6. After
    > an EXHAUSTIVE search of the MSKB, I could not find with an article
    > documenting the security flaw that I discovered.
    >
    > I was able to duplicate the problem 3 times and the next day at work I
    > showed it to one of our Windows Sysadmins and we both concluded that I had
    > indeed discovered an undocumented security flaw in WinXP SP2 and IE6.
    >
    > My own background, I have been a scientific programmer in Windows, various
    > UNIX, and (I am really giving away my age here) VAX/VMS environments for
    > over 15 years. Over the years, with one of our scientific software
    > vendors, I have discovered a few bugs that got my name on them.
    >
    > I know that the public-domain Mozilla Organization has a mechanism in
    > place for users to report (and I might add, get rewarded) for turning in
    > newly discovered security vulnerabilities in their public-domain software.
    >
    > As I computer professional, how do I let private-sector Microsoft know
    > that I have discovered an undocumented security vulnerability in WinXP SP2
    > and IE6 (especially before a hacker exploits it and causes trouble)?
    >
    > Thanks,
    >
    > Steve
    >
    >
    >
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Ron:

    Thanks for the Re. I am not used to top-posting in NG's. My email
    address is munged so if you forwarded my post to MS security, then how
    will MS contact me?

    I reviewed the on-line form at

    https://s.microsoft.com/technet/security/bulletin/alertus.aspx

    that Mike Brannigan [Microsoft] directed me to.

    I had a very hard day at work today, so I was too tired when I got home
    to compose a concise description of the security vulnerability to fit
    into this form. I have one other important computer-related task at
    home that I did not get done today either, so I will try to get the form
    completed for MS either Wednesday or Thursday night.

    In the meantime, I am silent about the security vulnerability.

    Steve

    Ron Chamberlin wrote:
    > Hi Steve,
    > I have forwarded your post to a MS security unit. I expect they'll contact
    > you by email.
    >
    > Ron Chamberlin
    > MS-MVP
    >
    > "Steve H" <aymes.srh@netcast.com> wrote in message
    > news:OWtQuMpAFHA.3336@TK2MSFTNGP11.phx.gbl...
    >
    >>To All:
    >>
    >>I recently discovered a security vulnerability in WinXP SP2 and IE6. After
    >>an EXHAUSTIVE search of the MSKB, I could not find with an article
    >>documenting the security flaw that I discovered.
    >>
    >>I was able to duplicate the problem 3 times and the next day at work I
    >>showed it to one of our Windows Sysadmins and we both concluded that I had
    >>indeed discovered an undocumented security flaw in WinXP SP2 and IE6.
    >>
    >>My own background, I have been a scientific programmer in Windows, various
    >>UNIX, and (I am really giving away my age here) VAX/VMS environments for
    >>over 15 years. Over the years, with one of our scientific software
    >>vendors, I have discovered a few bugs that got my name on them.
    >>
    >>I know that the public-domain Mozilla Organization has a mechanism in
    >>place for users to report (and I might add, get rewarded) for turning in
    >>newly discovered security vulnerabilities in their public-domain software.
    >>
    >>As I computer professional, how do I let private-sector Microsoft know
    >>that I have discovered an undocumented security vulnerability in WinXP SP2
    >>and IE6 (especially before a hacker exploits it and causes trouble)?
    >>
    >>Thanks,
    >>
    >>Steve
Ask a new question

Read More

Security Microsoft IE6 Windows XP