Thread: Microsoft makes errors in Microsoft Security Advisory (912840)
View Single Post
  #5  
Old 01-05-2006, 02:35 AM
David Candy
 
Posts: n/a
Default Re: Microsoft makes errors in Microsoft Security Advisory (912840)
Just some hysterical person who thinks they've discovered something.

--
--------------------------------------------------------------------------------------------------
Goodbye Web Diary
http://margokingston.typepad.com/har....html#comments
=================================================
"Josh Einstein" <josheinstein@hotmail.com> wrote in message news:O53Q79UEGHA.2320@TK2MSFTNGP11.phx.gbl...
> Jim, also I think one cross-posted thread is enough. Over here in the Tablet
> PC newsgroup these multiple threads are beginning to be quite a distraction
> and I imagine elsewhere too.
>
> --
> Josh Einstein
> Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
> www.tabletoutlook.com
>
> "Jim" <reply@groups.please> wrote in message
> news:QeOuf.21107$3I3.4732@bignews5.bellsouth.net.. .
>> [Standard Disclaimer: I could always be wrong.....but.....]
>>
>> In the most current update to Microsoft's Security Advisory about the WMF
>> exploit (http://www.microsoft.com/technet/sec...y/912840.mspx),
>> I
>> believe that there are several mis-statements that should addressed in the
>> "Mitigating Factors" section.
>>
>> 1) "In a Web-based attack scenario, an attacker would have to host a Web
>> site that contains a Web page that is used to exploit this vulnerability."
>> This is false. Attackers can post infected files to unsecured websites or
>> photo blogs like Flickr. Hosting the website would add an unwanted trail
>> to
>> the hacker and is avoided by all but the most inexperienced hackers.
>> While
>> script kiddies will host this exploit, the more advanced exploitations are
>> likely to pop up on websites NOT hosted by the attackers.
>>
>> In fact, all you have to do is ciew an infected image onscreen to
>> launch the attack against your PC.
>>
>> 2) "Instead, an attacker would have to persuade users to visit the Web
>> site,
>> typically by getting them to click a link in an e-mail or Instant
>> Messenger
>> request that takes users to the attacker's Web site." Also not true.
>> Pop-ups can also hold exploits used to take over a user's PC. As you are
>> aware, you don;t have to do anything to get a pop-up to launch except
>> visit
>> a site that may have no knowledge of what is in the pop-up (other than any
>> advertising agreements they have with the pop-up target site or ad
>> reseller).
>>
>> Also not taken into account is the rather nasty habit that most
>> websites (even sites like www.CNN.com) of hosting third-party images that
>> are frequently retrieved from even a 4th, 5th or Xth party site. This
>> increases the likelihood of an attack being launched via 3rd party images
>> on
>> even well-respected sites like www.cnn.com or www.cnet.com .
>>
>> 3) "In an e-mail based attack involving the current exploit, customers
>> would
>> have to click on a link in a malicious e-mail or open an attachment that
>> exploits the vulnerability." This is not true for any user that reads
>> thier
>> email in HTML format. HTML emails automatically download and display
>> images
>> in HTML emails. This means that simply reading an HTML email can infect
>> an
>> unpatched machine. You don't have to click a thing.
>>
>> A little lower in the updated advisory Microsoft states "In Windows
>> Server 2003, Microsoft Outlook Express uses plain text for reading and
>> sending messages by default. When replying to an e-mail message that is
>> sent
>> in another format, the response is formatted in plain text.", indicating
>> that they are aware of the HTML email vulnerability, but not making it
>> clear
>> that reading emails in HTML format can launch an attack without clicking
>> on
>> anything.
>>
>> 4) "At this point, no attachment has been identified in which a user can
>> be
>> attacked simply by reading mail." This is true and should be
>> differentiated
>> from #3's mis-statement. An attachment must be clicked to be viewed.
>> Note
>> the word "attachment". HTML emails (if read in HTML format) load thier
>> images from servers ad display them automatically within the email when
>> you
>> view the HTML email. When reading an HTML email that contains and
>> infected
>> image file, you do not need to click anything for the exploit to be
>> executed. The display of the image on your screen is all it takes to
>> launch
>> it's payload.
>>
>> Financial Times states "Unlike most attacks, which require victims to
>> download or execute a suspect file, the new vulnerability makes it
>> possible
>> for users to infect their computers with spyware or a virus simply by
>> viewing a web page, e-mail or instant message that contains a contaminated
>> image." - at
>> http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html
>>
>> 5) "This issue is not known to be wormable." Not true. An MSN Messenger
>> worm has already been reported to be spreading in the wild - see
>> http://www.f-secure.com/weblog/archi...ve-122005.html and
>> http://www.viruslist.com/en/weblog?d...92530&return=1.
>>
>> If I've got anything wrong here (I'm not perfect either )....speak up.
>>
>> Jim
>>
>>
>>
>
>
Reply With Quote