Disclosure of the week (2): Excel opcode vuln

There are many ways how to disclose the vulnerabilities.

This is the Fortinet Security Research Team way:

1. Release FortiGuard Advisory FGA-2006-30 when MS07-002 is not yet public
2. Include Microsoft Security Bulletin 927198 and CVE-2006-3432 references, which no exist and are not accessible
3. Publish an advice to “apply the update provided by Microsoft”
4. Wait for MS January security updates
5. Ignore FGA-2006-30 and generate redirection to FGA-2007-01
6. Change Microsoft Security Bulletin reference to MS07-002 and CVE name to CVE-2007-028, with three digits in ’0028′
7. Don’t release any revision history or information about new CVE name or about removed 2006-30 advisory
8. Wait if users will not notice your way to act

Update: According to Google’s cache e.g. this advisory was released.

Share
  • http://security.eweek.com Larry Seltzer

    Yeah, we had this one in Ryan Naraine’s blog.

  • Marek

    Your link points to CVE-2007-3432 which does not exist indeed.

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks Larry, I was not aware of this Ryan Naraine writing.

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks, Marek! The target link has been fixed now.