I wanted to follow up with my experience in submitting a vulnerability in Internet Explorer to Microsoft in October of 2004. It still isn’t patched (June 05), and no official publication from microsoft has ever acknowldeged it’s there.
Here is the timetable of how things went. You can decide if they dropped the ball.
10/26/04 - 12:01 am First things first, I could not find the proper microsoft form to submit the vulnerability to them (and the one I did find was unavailable) so I submitted it to secunia
10/26/04 - 9am I submitted it to securityfocus bugtraq
10/26/04 - 10:33pm I found the right form at microsoft so I submitted it via https://s.microsoft.com/technet/security/bulletin/alertus.aspx
The games begin :
10/27/04 - noon Referral from http://www.newsisfree.com/sources/browse/?cat=140&first=100 several people then check my page from an address which had no reverse lookup
10⁄28 BUGTRAQ ID 11536. Still no word from microsoft
10/28/04 - 6:am Possible check by microsoft. Though the ip doesn’t reverse lookup, the proxy name is consistent with later checks. At the same time, several other people check from europian ip addresses.
Waiting again
10/28/04 - 6:01pm Microsoft finally checks the site. Ten minutes later at 6:11 I have an email responce from a Christoper CISSP saying they will investigate. Within the hour two other microsoft employees check it out. The first checked it from WinNT5.2, the second from XP and the last from Win NT5.2 again (these are what their browser reported anyway).
10/29/04 - 11:09pm Microsoft checks again
10/31/04 and again
Then after a few more checks they were never to be heard from again. Perhaphs it’ll be fixed someday; perhaphs not.
Nice to know things like this are out there; Microsoft knows about them, but won’t say a word.
In addition to this vulnerability; I recieved even less responce when I submitted about a Inline list Race Condition vulnerability that also exists in Internet Explorer.