Thread: Microsoft makes errors in Microsoft Security Advisory (912840)
View Single Post
  #4  
Old 01-05-2006, 02:35 AM
Josh Einstein
 
Posts: n/a
Default Re: Microsoft makes errors in Microsoft Security Advisory (912840)
Jim, also I think one cross-posted thread is enough. Over here in the Tablet
PC newsgroup these multiple threads are beginning to be quite a distraction
and I imagine elsewhere too.

--
Josh Einstein
Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
www.tabletoutlook.com

"Jim" <reply@groups.please> wrote in message
news:QeOuf.21107$3I3.4732@bignews5.bellsouth.net.. .
> [Standard Disclaimer: I could always be wrong.....but.....]
>
> In the most current update to Microsoft's Security Advisory about the WMF
> exploit (http://www.microsoft.com/technet/sec...y/912840.mspx),
> I
> believe that there are several mis-statements that should addressed in the
> "Mitigating Factors" section.
>
> 1) "In a Web-based attack scenario, an attacker would have to host a Web
> site that contains a Web page that is used to exploit this vulnerability."
> This is false. Attackers can post infected files to unsecured websites or
> photo blogs like Flickr. Hosting the website would add an unwanted trail
> to
> the hacker and is avoided by all but the most inexperienced hackers.
> While
> script kiddies will host this exploit, the more advanced exploitations are
> likely to pop up on websites NOT hosted by the attackers.
>
> In fact, all you have to do is ciew an infected image onscreen to
> launch the attack against your PC.
>
> 2) "Instead, an attacker would have to persuade users to visit the Web
> site,
> typically by getting them to click a link in an e-mail or Instant
> Messenger
> request that takes users to the attacker's Web site." Also not true.
> Pop-ups can also hold exploits used to take over a user's PC. As you are
> aware, you don;t have to do anything to get a pop-up to launch except
> visit
> a site that may have no knowledge of what is in the pop-up (other than any
> advertising agreements they have with the pop-up target site or ad
> reseller).
>
> Also not taken into account is the rather nasty habit that most
> websites (even sites like www.CNN.com) of hosting third-party images that
> are frequently retrieved from even a 4th, 5th or Xth party site. This
> increases the likelihood of an attack being launched via 3rd party images
> on
> even well-respected sites like www.cnn.com or www.cnet.com .
>
> 3) "In an e-mail based attack involving the current exploit, customers
> would
> have to click on a link in a malicious e-mail or open an attachment that
> exploits the vulnerability." This is not true for any user that reads
> thier
> email in HTML format. HTML emails automatically download and display
> images
> in HTML emails. This means that simply reading an HTML email can infect
> an
> unpatched machine. You don't have to click a thing.
>
> A little lower in the updated advisory Microsoft states "In Windows
> Server 2003, Microsoft Outlook Express uses plain text for reading and
> sending messages by default. When replying to an e-mail message that is
> sent
> in another format, the response is formatted in plain text.", indicating
> that they are aware of the HTML email vulnerability, but not making it
> clear
> that reading emails in HTML format can launch an attack without clicking
> on
> anything.
>
> 4) "At this point, no attachment has been identified in which a user can
> be
> attacked simply by reading mail." This is true and should be
> differentiated
> from #3's mis-statement. An attachment must be clicked to be viewed.
> Note
> the word "attachment". HTML emails (if read in HTML format) load thier
> images from servers ad display them automatically within the email when
> you
> view the HTML email. When reading an HTML email that contains and
> infected
> image file, you do not need to click anything for the exploit to be
> executed. The display of the image on your screen is all it takes to
> launch
> it's payload.
>
> Financial Times states "Unlike most attacks, which require victims to
> download or execute a suspect file, the new vulnerability makes it
> possible
> for users to infect their computers with spyware or a virus simply by
> viewing a web page, e-mail or instant message that contains a contaminated
> image." - at
> http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html
>
> 5) "This issue is not known to be wormable." Not true. An MSN Messenger
> worm has already been reported to be spreading in the wild - see
> http://www.f-secure.com/weblog/archi...ve-122005.html and
> http://www.viruslist.com/en/weblog?d...92530&return=1.
>
> If I've got anything wrong here (I'm not perfect either )....speak up.
>
> Jim
>
>
>


Reply With Quote