I've also attempted to report this by phone as suggested by XXXX. I've never experienced such difficulty trying to report a security issue; I'd have expected that you'd have processes in place, but apparently not.
My first attempt was met by a CSR who informed me that he knew of no protocol for reporting security issues, and that he couldn't help me because it wasn't directly effecting my computer. He then hung up on me when I asked to speak to a supervisor.
Second call got me a much more helpful chap, who after conferring with a supervisor, transferred me to professional services. The person I spoke with there said they also didn't have any security reporting protocol, or if they did, he didn't know about it. When I said the issue could effect thousands of devices, he transferred me through to 'corporate'.
I ended up going through an IVR system to an operator, who was no help whatsoever. She was entirely the wrong person to speak to; she was also completely ignorant of any security reporting process, and didn't know who to transfer me to.
Could you please call me on +61 XXX XXX XXX to acknowledge receipt of this report, and to discuss it? Thanks.
An update to this: the security folks have told me it’s not a security issue, but they’re forwarding it to the appropriate team.
Perhaps I’m biased, but I’d have thought that a Windows Update that ships malware that bricks thousands of consumer devices without warning would constitute a security issue.
But hey … at least they’re actioning it, and they responded so quickly. So, FYI: if you have a security issue to report to Microsoft, do it by email. Phone staff are utterly, completely useless for this.
Bureaucratically, it probably isn't a security issue for Microsoft; they have a separate department (probably legal, although maybe a separate hardware vendor relations group) that is much better at dealing with a named, legal organization like FTDI.
Another update: Microsoft had already been made aware of the issue, and were investigating. I've lodged a formal compliment over the way their security team responded to my report (once I found them). Prompt, helpful, efficient and reassuring.
They agree :) Although I'm surprised; I genuinely thought that a company using Windows Update to push malware would count. But even so, MSRC did ensure that the issue was handled by the appropriate team. Kudos.
=====
Hi,
I've been advised to email this address by 'XXXX' at Microsoft Support.
FTDI is shipping a malware driver for Windows; if it detects what it thinks is a counterfeit device plugged in by USB, it bricks it. Details here:
http://www.eevblog.com/forum/reviews/ftdi-driver-kills-fake-...
I've also attempted to report this by phone as suggested by XXXX. I've never experienced such difficulty trying to report a security issue; I'd have expected that you'd have processes in place, but apparently not.
My first attempt was met by a CSR who informed me that he knew of no protocol for reporting security issues, and that he couldn't help me because it wasn't directly effecting my computer. He then hung up on me when I asked to speak to a supervisor.
Second call got me a much more helpful chap, who after conferring with a supervisor, transferred me to professional services. The person I spoke with there said they also didn't have any security reporting protocol, or if they did, he didn't know about it. When I said the issue could effect thousands of devices, he transferred me through to 'corporate'.
I ended up going through an IVR system to an operator, who was no help whatsoever. She was entirely the wrong person to speak to; she was also completely ignorant of any security reporting process, and didn't know who to transfer me to.
Could you please call me on +61 XXX XXX XXX to acknowledge receipt of this report, and to discuss it? Thanks.
=====