Re: How to Report a Security Vulnerability to Microsoft

[Kevin <kkadow () gmail com>]

On a related note, today we ran into (headfirst) a bug in Internet
Explorer with the processing of a AutoProxy scripts (Proxy Automatic
Configuration aka "PAC", a specialized subset of javascript to make
client-side web proxy routing decisions).

Eventually I isolated the problem to a broken implementation of
dnsDomainIs() in Internet Explorer, so I decided to do the right thing
and report the bug to Microsoft.  This isn't a higly critical security
flaw, so I hunted around microsoft.com and eventually found the page
on bug reporting:  http://support.microsoft.com/gp/contactbug

The page states "If you think you have found a bug in a Microsoft
product, contact our Microsoft Product Support Services department. 
(800) MICROSOFT (642-7676)".  No email address, no web form, just a
phone number.

So I call this number, and after five minutes of sitting through IVR
menus, I finally reach a live human.  She asks for my name and phone
number, and as soon as I mention that I am reporting a bug in Internet
Explorer, says she will transfer my call.

At that point I get fifteen seconds of music on hold, followed by dead
air.  That was a half hour ago.


Kevin Kadow

(P.S. Yes, this is definitely a bug in MSIE -- every other browser
I've tried handles dnsDomainIs() correctly, the sole exception is
MSIE).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/