On “Responsible Disclosure”: Stripping the Veil From Corporate Censorship
Matthew – December 5, 2005 on 8:31 am | In Microsoft, Commentary, Full Disclosure, Law, Culture, Cisco |
In the case of 911302, the ‘report of a vulnerability’ Microsoft cites is information published by a British firm regarding the Window. Race Condition in its Internet Explorer browser. The catch that Microsoft fails to mention? The vulnerability had already been reported publicly after Microsoft discounted it as a non-exploitable flaw. The lag time between the two reports also hurts Microsoft’s case: the issue has been known since May, and the code execution possibility was reported in November.
So, in the case of 911302, Microsoft is complaining because it failed to consider the possibility that a class of race conditions (those that reliably produce calls to free portions of the virtual address space) that has historically proven exploitable would prove equally dangerous in this instance. Microsoft failed to do its homework, and then chastised the British firm (ComputerTerrorism.com) for exposing the company’s gross negligence in its handling of this vulnerability.