Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / December 2005

Tip: Looking for answers? Try searching our database.

Security Issue Found

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ole Kristian Bangås - 20 Dec 2005 22:25 GMT
After having been in contact with Microsoft Support in various countries,
both by mail and phone, what I was told to do is to post here.

Given that a few prerequisites are in place, I'm able to grant myself
access to data that I'm explicitly denied access to. No big surprise, this
is not the way it is supposed to be. I desperately want to get in touch
with someone working with security issues in Microsoft, as I do NOT want
the details to go public. But, before that happens, I have to thoughs:

- Why do I either have to pay and open a support case to report security
issues, or (even worse)
- Go public on this newsgroup?

I would strongly suggest that Microsoft make some "slightly" easier way to
report security issues with their software. I'm SO close to go public with
all the detials first, since it's so troublesome to report issues directly
to Microsoft.

Well, that's all for now.

Signature

Ole Kristian Bangås
MCT, MCDBA, MCDST, MCSE:Security, MCSE:Messaging

Reply to this Message
Dan Guzman - 20 Dec 2005 22:34 GMT
> I would strongly suggest that Microsoft make some "slightly" easier way to
> report security issues with their software.

Try:

http://www.microsoft.com/technet/security/bulletin/alertus.aspx

Signature

Hope this helps.

Dan Guzman
SQL Server MVP

> After having been in contact with Microsoft Support in various countries,
> both by mail and phone, what I was told to do is to post here.
[quoted text clipped - 15 lines]
>
> Well, that's all for now.
Reply to this Message
Ole Kristian Bangås - 20 Dec 2005 22:46 GMT
"Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in news:#
9T4CWbBGHA.216@TK2MSFTNGP15.phx.gbl:

> http://www.microsoft.com/technet/security/bulletin/alertus.aspx

So why does not Microsoft Support know about this webpage?

Signature

Ole Kristian Bangås
MCT, MCDBA, MCDST, MCSE:Security, MCSE:Messaging

Reply to this Message
Dan Guzman - 20 Dec 2005 23:07 GMT
I don't know why they were not aware of the page.  I found it with a quick
google search.  I agree with you that security issues should be easy to
report so I'll bring this up.

Signature

Hope this helps.

Dan Guzman
SQL Server MVP

> "Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in news:#
> 9T4CWbBGHA.216@TK2MSFTNGP15.phx.gbl:
>
>> http://www.microsoft.com/technet/security/bulletin/alertus.aspx
>
> So why does not Microsoft Support know about this webpage?
Reply to this Message
Dan Guzman - 21 Dec 2005 05:46 GMT
Please let me know directly if you do not get satisfaction from using the
web page.  As Steve Kass stated in his response in the public group, the
security team is very serious about security issues. I've generally had good
experience with US support, albeit there are some time when support is not
up to par.

Signature

Hope this helps.

Dan Guzman
SQL Server MVP

> "Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in news:#
> 9T4CWbBGHA.216@TK2MSFTNGP15.phx.gbl:
>
>> http://www.microsoft.com/technet/security/bulletin/alertus.aspx
>
> So why does not Microsoft Support know about this webpage?
Reply to this Message
Ole Kristian Bangås - 21 Dec 2005 12:24 GMT
> Please let me know directly if you do not get satisfaction from using
> the web page.  As Steve Kass stated in his response in the public
> group, the security team is very serious about security issues. I've
> generally had good experience with US support, albeit there are some
> time when support is not up to par.

The webpage was very satisfactory. I got contact within few hours.

Signature

Ole Kristian Bangås
MCT, MCDBA, MCDST, MCSE:Security, MCSE:Messaging

Reply to this Message
Steve Kass - 21 Dec 2005 03:41 GMT
Ole,

I've worked with the security team on issues very much
like what you describe, and they are real professionals.

The URL Dan posted is the right one.  If you don't get
a quick response, refer them to this thread and tell them
that SQL Server MVP's Dan and Steve sent you.  ;)

Since what you describe is similar to an issue that is already
known and public (and on the Microsoft web site), I'll point to
this blog post, which refers to a Microsoft white paper on the topic:

http://sqlservercentral.com/cs/blogs/brian_kelley/archive/2005/11/25/334.aspx

Steve Kass
Drew University

>After having been in contact with Microsoft Support in various countries,
>both by mail and phone, what I was told to do is to post here.
[quoted text clipped - 17 lines]
>
>  
Reply to this Message
Ole Kristian Bangås - 21 Dec 2005 12:14 GMT
> http://sqlservercentral.com/cs/blogs/brian_kelley/archive/2005/11/25/33
> 4.aspx

Thanks for the response. And by the way, not the same issue as far as I can
see :)

Signature

Ole Kristian Bangås
MCT, MCDBA, MCDST, MCSE:Security, MCSE:Messaging

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.