IE Vulerability Follow up

by @jehiah on 2005-06-14 03:10UTC
Filed under: All , HTML , Articles , Security

I wanted to follow up with my experience in submitting a vulnerability in Internet Explorer to Microsoft in October of 2004. It still isn’t patched (June 05), and no official publication from microsoft has ever acknowldeged it’s there.

Here is the timetable of how things went. You can decide if they dropped the ball.

10/26/04 - 12:01 am First things first, I could not find the proper microsoft form to submit the vulnerability to them (and the one I did find was unavailable) so I submitted it to secunia

10/26/04 - 9am I submitted it to securityfocus bugtraq

10/26/04 - 10:33pm I found the right form at microsoft so I submitted it via

The games begin :

10/27/04 - noon Referral from several people then check my page from an address which had no reverse lookup

1028 BUGTRAQ ID 11536. Still no word from microsoft

10/28/04 - 6:am Possible check by microsoft. Though the ip doesn’t reverse lookup, the proxy name is consistent with later checks. At the same time, several other people check from europian ip addresses.

Waiting again

10/28/04 - 6:01pm Microsoft finally checks the site. Ten minutes later at 6:11 I have an email responce from a Christoper CISSP saying they will investigate. Within the hour two other microsoft employees check it out. The first checked it from WinNT5.2, the second from XP and the last from Win NT5.2 again (these are what their browser reported anyway).

10/29/04 - 11:09pm Microsoft checks again

10/31/04 and again

Then after a few more checks they were never to be heard from again. Perhaphs it’ll be fixed someday; perhaphs not.

Nice to know things like this are out there; Microsoft knows about them, but won’t say a word.

In addition to this vulnerability; I recieved even less responce when I submitted about a Inline list Race Condition vulnerability that also exists in Internet Explorer.

Subscribe via RSS ı Email
© 2023 - Jehiah Czebotar