evan_tech -- security bugs

12:50 pm, 16 Apr 09

security bugs

http://seclists.org/fulldisclosure/2009/Apr/0129.html:

VIII. DISCLOSURE TIMELINE
06/28/2006 - Initial Contact
06/29/2006 - PoC Requested
06/29/2006 - PoC Sent
10/05/2006 - Vendor Status Update
01/24/2007 - Vendor Status Update
02/12/2008 - Vendor Status Update
03/31/2009 - CVE Assigned
04/14/2009 - Coordinated Public Disclosure

That's a loooong time to sit on a bug.

mihaiparparita

To be fair, this is in an optional component of Word 2000, which was almost two major releases behind at the time of disclosure (Office 2007 came out 11/30/2006).

Then again, http://support.microsoft.com/gp/lifeoffice says "Office 2000 extended support period will last from July 1, 2004 through July 14, 2009" and according to http://support.microsoft.com/gp/lifepolicy extended support implies security updates.

reply to this

gaal	Also, "iDefense Labs have confirmed that the WordPerfect 6.x converter (WPFT632.CNV, with file version 1998.1.27.0) in Microsoft Word 2000 Service Pack 3 is vulnerable." — the bug is over ~~ten~~ eleven years old :-(
reply to this

evan I was mostly impressed by the reporters' restraint -- to report a bug and still wait three years before taking credit for it shows, uh, something.

reply to this

evan	I was mostly impressed by the reporters' restraint -- to report a bug and still wait three years before taking credit for it shows, uh, something.
reply to this