Thread: Microsoft makes errors in Microsoft Security Advisory (912840)
View Single Post
  #3  
Old 01-05-2006, 02:35 AM
Jim
 
Posts: n/a
Default Re: Microsoft makes errors in Microsoft Security Advisory (912840)
Thanks.....I will send it and let you know what they say.

Jim

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23IoGRYSEGHA.516@TK2MSFTNGP15.phx.gbl...
>I would send this to secure@microsoft.com if you would like the necessary
> people to look over your comments.
>
> Cheers
> Ken
>
>
> "Jim" <reply@groups.please> wrote in message
> news:QeOuf.21107$3I3.4732@bignews5.bellsouth.net.. .
> : [Standard Disclaimer: I could always be wrong.....but.....]
> :
> : In the most current update to Microsoft's Security Advisory about the
> WMF
> : exploit
> (http://www.microsoft.com/technet/sec...y/912840.mspx),
> I
> : believe that there are several mis-statements that should addressed in
> the
> : "Mitigating Factors" section.
> :
> : 1) "In a Web-based attack scenario, an attacker would have to host a Web
> : site that contains a Web page that is used to exploit this
> vulnerability."
> : This is false. Attackers can post infected files to unsecured websites
> or
> : photo blogs like Flickr. Hosting the website would add an unwanted
> trail
> to
> : the hacker and is avoided by all but the most inexperienced hackers.
> While
> : script kiddies will host this exploit, the more advanced exploitations
> are
> : likely to pop up on websites NOT hosted by the attackers.
> :
> : In fact, all you have to do is ciew an infected image onscreen to
> : launch the attack against your PC.
> :
> : 2) "Instead, an attacker would have to persuade users to visit the Web
> site,
> : typically by getting them to click a link in an e-mail or Instant
> Messenger
> : request that takes users to the attacker's Web site." Also not true.
> : Pop-ups can also hold exploits used to take over a user's PC. As you
> are
> : aware, you don;t have to do anything to get a pop-up to launch except
> visit
> : a site that may have no knowledge of what is in the pop-up (other than
> any
> : advertising agreements they have with the pop-up target site or ad
> : reseller).
> :
> : Also not taken into account is the rather nasty habit that most
> : websites (even sites like www.CNN.com) of hosting third-party images
> that
> : are frequently retrieved from even a 4th, 5th or Xth party site. This
> : increases the likelihood of an attack being launched via 3rd party
> images
> on
> : even well-respected sites like www.cnn.com or www.cnet.com .
> :
> : 3) "In an e-mail based attack involving the current exploit, customers
> would
> : have to click on a link in a malicious e-mail or open an attachment that
> : exploits the vulnerability." This is not true for any user that reads
> thier
> : email in HTML format. HTML emails automatically download and display
> images
> : in HTML emails. This means that simply reading an HTML email can infect
> an
> : unpatched machine. You don't have to click a thing.
> :
> : A little lower in the updated advisory Microsoft states "In Windows
> : Server 2003, Microsoft Outlook Express uses plain text for reading and
> : sending messages by default. When replying to an e-mail message that is
> sent
> : in another format, the response is formatted in plain text.", indicating
> : that they are aware of the HTML email vulnerability, but not making it
> clear
> : that reading emails in HTML format can launch an attack without clicking
> on
> : anything.
> :
> : 4) "At this point, no attachment has been identified in which a user can
> be
> : attacked simply by reading mail." This is true and should be
> differentiated
> : from #3's mis-statement. An attachment must be clicked to be viewed.
> Note
> : the word "attachment". HTML emails (if read in HTML format) load thier
> : images from servers ad display them automatically within the email when
> you
> : view the HTML email. When reading an HTML email that contains and
> infected
> : image file, you do not need to click anything for the exploit to be
> : executed. The display of the image on your screen is all it takes to
> launch
> : it's payload.
> :
> : Financial Times states "Unlike most attacks, which require victims
> to
> : download or execute a suspect file, the new vulnerability makes it
> possible
> : for users to infect their computers with spyware or a virus simply by
> : viewing a web page, e-mail or instant message that contains a
> contaminated
> : image." - at
> : http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html
> :
> : 5) "This issue is not known to be wormable." Not true. An MSN
> Messenger
> : worm has already been reported to be spreading in the wild - see
> : http://www.f-secure.com/weblog/archi...ve-122005.html and
> : http://www.viruslist.com/en/weblog?d...92530&return=1.
> :
> : If I've got anything wrong here (I'm not perfect either )....speak
> up.
> :
> : Jim
> :
> :
> :
>
>


Reply With Quote