Matt Moore said: >I also reported this to Microsoft - sometime around May or June >2002... I copied Steve Christey at Mitre on a couple of the emails I can confirm that on July 19, 2002, Matt CC'ed me on an email to the Microsoft Security Response Center in which Matt asked about when his reported issue would be fixed. Included in that email was a trail of other messages dating back to his original notification of June 25, 2002, with a subject of "Potential Cross Site Scripting Flaw in Internet Explorer XML Parser". Matt's original email includes the following: ... it's possible to perform XSS attacks against IE clients of a web server that has a malformed XML document residing on it. ... The XML parser in IE should sanitise any resource names it includes in it's error messages. It appears that various [sic] of the IE XML parser error pages are vulnerable to this. >this may already have a CAN entry. For disclosures in which the vendor actively uses CVE identifiers, such as Microsoft, our general approach is to encourage the researcher to obtain a CVE name through the vendor. This reduces the risk of accidental duplication and errors in assigning CVE names, e.g. if multiple researchers find the same issue, or if researchers find the "symptoms" of a larger problem. We do follow the "30-day" disclosure guideline and provide a CAN to the researcher if they want to publicize an issue after 30 days, but in this case Matt did not release, so a CAN was not assigned until this issue was publicized by GreyMagic (CAN-2003-0446). Steve Christey CVE Editor
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 16:30:25 PDT