Disclosure of the week (2): Excel opcode vuln
There are many ways how to disclose the vulnerabilities.
This is the Fortinet Security Research Team way:
1. Release FortiGuard Advisory FGA-2006-30 when MS07-002 is not yet public
2. Include Microsoft Security Bulletin 927198 and CVE-2006-3432 references, which no exist and are not accessible
3. Publish an advice to “apply the update provided by Microsoft”
4. Wait for MS January security updates
5. Ignore FGA-2006-30 and generate redirection to FGA-2007-01
6. Change Microsoft Security Bulletin reference to MS07-002 and CVE name to CVE-2007-028, with three digits in ’0028′
7. Don’t release any revision history or information about new CVE name or about removed 2006-30 advisory
8. Wait if users will not notice your way to act
Update: According to Google’s cache e.g. this advisory was released.