< Paul Bremmer on CNN | Do Bush followers have a political ideology? >
More information available at:
- CVE CVE-2005-3840
- OSVDB http://www.osvdb.org/displayvuln.php?osvdb_id=2707
- SecurityTracker http://www.securitytracker.com/id?1015049
- SecurityFocus http://www.securityfocus.com/bid/15089
Here are Matthew's reasons in his own words:
Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.
Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an "Important" rating.
I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a "Moderate" risk issue.
Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired.