[Standard Disclaimer: I could always be wrong.....but.....]

In the most current update to Microsoft's Security Advisory about the WMF
exploit (http://www.microsoft.com/technet/sec...y/912840.mspx), I
believe that there are several mis-statements that should addressed in the
"Mitigating Factors" section.

1) "In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability."
This is false. Attackers can post infected files to unsecured websites or
photo blogs like Flickr. Hosting the website would add an unwanted trail to
the hacker and is avoided by all but the most inexperienced hackers. While
script kiddies will host this exploit, the more advanced exploitations are
likely to pop up on websites NOT hosted by the attackers.

In fact, all you have to do is ciew an infected image onscreen to
launch the attack against your PC.

2) "Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail or Instant Messenger
request that takes users to the attacker's Web site." Also not true.
Pop-ups can also hold exploits used to take over a user's PC. As you are
aware, you don;t have to do anything to get a pop-up to launch except visit
a site that may have no knowledge of what is in the pop-up (other than any
advertising agreements they have with the pop-up target site or ad
reseller).

Also not taken into account is the rather nasty habit that most
websites (even sites like www.CNN.com) of hosting third-party images that
are frequently retrieved from even a 4th, 5th or Xth party site. This
increases the likelihood of an attack being launched via 3rd party images on
even well-respected sites like www.cnn.com or www.cnet.com .

3) "In an e-mail based attack involving the current exploit, customers would
have to click on a link in a malicious e-mail or open an attachment that
exploits the vulnerability." This is not true for any user that reads thier
email in HTML format. HTML emails automatically download and display images
in HTML emails. This means that simply reading an HTML email can infect an
unpatched machine. You don't have to click a thing.

A little lower in the updated advisory Microsoft states "In Windows
Server 2003, Microsoft Outlook Express uses plain text for reading and
sending messages by default. When replying to an e-mail message that is sent
in another format, the response is formatted in plain text.", indicating
that they are aware of the HTML email vulnerability, but not making it clear
that reading emails in HTML format can launch an attack without clicking on
anything.

4) "At this point, no attachment has been identified in which a user can be
attacked simply by reading mail." This is true and should be differentiated
from #3's mis-statement. An attachment must be clicked to be viewed. Note
the word "attachment". HTML emails (if read in HTML format) load thier
images from servers ad display them automatically within the email when you
view the HTML email. When reading an HTML email that contains and infected
image file, you do not need to click anything for the exploit to be
executed. The display of the image on your screen is all it takes to launch
it's payload.

Financial Times states "Unlike most attacks, which require victims to
download or execute a suspect file, the new vulnerability makes it possible
for users to infect their computers with spyware or a virus simply by
viewing a web page, e-mail or instant message that contains a contaminated
image." - at
http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html

5) "This issue is not known to be wormable." Not true. An MSN Messenger
worm has already been reported to be spreading in the wild - see
http://www.f-secure.com/weblog/archi...ve-122005.html and
http://www.viruslist.com/en/weblog?d...92530&return=1.

If I've got anything wrong here (I'm not perfect either )....speak up.

Jim

I would send this to secure@microsoft.com if you would like the necessary
people to look over your comments.

Cheers
Ken


"Jim" <reply@groups.please> wrote in message
news:QeOuf.21107$3I3.4732@bignews5.bellsouth.net.. .
: [Standard Disclaimer: I could always be wrong.....but.....]
:
: In the most current update to Microsoft's Security Advisory about the WMF
: exploit (http://www.microsoft.com/technet/sec...y/912840.mspx),
I
: believe that there are several mis-statements that should addressed in the
: "Mitigating Factors" section.
:
: 1) "In a Web-based attack scenario, an attacker would have to host a Web
: site that contains a Web page that is used to exploit this vulnerability."
: This is false. Attackers can post infected files to unsecured websites or
: photo blogs like Flickr. Hosting the website would add an unwanted trail
to
: the hacker and is avoided by all but the most inexperienced hackers.
While
: script kiddies will host this exploit, the more advanced exploitations are
: likely to pop up on websites NOT hosted by the attackers.
:
: In fact, all you have to do is ciew an infected image onscreen to
: launch the attack against your PC.
:
: 2) "Instead, an attacker would have to persuade users to visit the Web
site,
: typically by getting them to click a link in an e-mail or Instant
Messenger
: request that takes users to the attacker's Web site." Also not true.
: Pop-ups can also hold exploits used to take over a user's PC. As you are
: aware, you don;t have to do anything to get a pop-up to launch except
visit
: a site that may have no knowledge of what is in the pop-up (other than any
: advertising agreements they have with the pop-up target site or ad
: reseller).
:
: Also not taken into account is the rather nasty habit that most
: websites (even sites like www.CNN.com) of hosting third-party images that
: are frequently retrieved from even a 4th, 5th or Xth party site. This
: increases the likelihood of an attack being launched via 3rd party images
on
: even well-respected sites like www.cnn.com or www.cnet.com .
:
: 3) "In an e-mail based attack involving the current exploit, customers
would
: have to click on a link in a malicious e-mail or open an attachment that
: exploits the vulnerability." This is not true for any user that reads
thier
: email in HTML format. HTML emails automatically download and display
images
: in HTML emails. This means that simply reading an HTML email can infect
an
: unpatched machine. You don't have to click a thing.
:
: A little lower in the updated advisory Microsoft states "In Windows
: Server 2003, Microsoft Outlook Express uses plain text for reading and
: sending messages by default. When replying to an e-mail message that is
sent
: in another format, the response is formatted in plain text.", indicating
: that they are aware of the HTML email vulnerability, but not making it
clear
: that reading emails in HTML format can launch an attack without clicking
on
: anything.
:
: 4) "At this point, no attachment has been identified in which a user can
be
: attacked simply by reading mail." This is true and should be
differentiated
: from #3's mis-statement. An attachment must be clicked to be viewed.
Note
: the word "attachment". HTML emails (if read in HTML format) load thier
: images from servers ad display them automatically within the email when
you
: view the HTML email. When reading an HTML email that contains and
infected
: image file, you do not need to click anything for the exploit to be
: executed. The display of the image on your screen is all it takes to
launch
: it's payload.
:
: Financial Times states "Unlike most attacks, which require victims to
: download or execute a suspect file, the new vulnerability makes it
possible
: for users to infect their computers with spyware or a virus simply by
: viewing a web page, e-mail or instant message that contains a contaminated
: image." - at
: http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html
:
: 5) "This issue is not known to be wormable." Not true. An MSN Messenger
: worm has already been reported to be spreading in the wild - see
: http://www.f-secure.com/weblog/archi...ve-122005.html and
: http://www.viruslist.com/en/weblog?d...92530&return=1.
:
: If I've got anything wrong here (I'm not perfect either )....speak up.
:
: Jim
:
:
:

Thanks.....I will send it and let you know what they say.

Jim

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23IoGRYSEGHA.516@TK2MSFTNGP15.phx.gbl...
>I would send this to secure@microsoft.com if you would like the necessary
> people to look over your comments.
>
> Cheers
> Ken
>
>
> "Jim" <reply@groups.please> wrote in message
> news:QeOuf.21107$3I3.4732@bignews5.bellsouth.net.. .
> : [Standard Disclaimer: I could always be wrong.....but.....]
> :
> : In the most current update to Microsoft's Security Advisory about the
> WMF
> : exploit
> (http://www.microsoft.com/technet/sec...y/912840.mspx),
> I
> : believe that there are several mis-statements that should addressed in
> the
> : "Mitigating Factors" section.
> :
> : 1) "In a Web-based attack scenario, an attacker would have to host a Web
> : site that contains a Web page that is used to exploit this
> vulnerability."
> : This is false. Attackers can post infected files to unsecured websites
> or
> : photo blogs like Flickr. Hosting the website would add an unwanted
> trail
> to
> : the hacker and is avoided by all but the most inexperienced hackers.
> While
> : script kiddies will host this exploit, the more advanced exploitations
> are
> : likely to pop up on websites NOT hosted by the attackers.
> :
> : In fact, all you have to do is ciew an infected image onscreen to
> : launch the attack against your PC.
> :
> : 2) "Instead, an attacker would have to persuade users to visit the Web
> site,
> : typically by getting them to click a link in an e-mail or Instant
> Messenger
> : request that takes users to the attacker's Web site." Also not true.
> : Pop-ups can also hold exploits used to take over a user's PC. As you
> are
> : aware, you don;t have to do anything to get a pop-up to launch except
> visit
> : a site that may have no knowledge of what is in the pop-up (other than
> any
> : advertising agreements they have with the pop-up target site or ad
> : reseller).
> :
> : Also not taken into account is the rather nasty habit that most
> : websites (even sites like www.CNN.com) of hosting third-party images
> that
> : are frequently retrieved from even a 4th, 5th or Xth party site. This
> : increases the likelihood of an attack being launched via 3rd party
> images
> on
> : even well-respected sites like www.cnn.com or www.cnet.com .
> :
> : 3) "In an e-mail based attack involving the current exploit, customers
> would
> : have to click on a link in a malicious e-mail or open an attachment that
> : exploits the vulnerability." This is not true for any user that reads
> thier
> : email in HTML format. HTML emails automatically download and display
> images
> : in HTML emails. This means that simply reading an HTML email can infect
> an
> : unpatched machine. You don't have to click a thing.
> :
> : A little lower in the updated advisory Microsoft states "In Windows
> : Server 2003, Microsoft Outlook Express uses plain text for reading and
> : sending messages by default. When replying to an e-mail message that is
> sent
> : in another format, the response is formatted in plain text.", indicating
> : that they are aware of the HTML email vulnerability, but not making it
> clear
> : that reading emails in HTML format can launch an attack without clicking
> on
> : anything.
> :
> : 4) "At this point, no attachment has been identified in which a user can
> be
> : attacked simply by reading mail." This is true and should be
> differentiated
> : from #3's mis-statement. An attachment must be clicked to be viewed.
> Note
> : the word "attachment". HTML emails (if read in HTML format) load thier
> : images from servers ad display them automatically within the email when
> you
> : view the HTML email. When reading an HTML email that contains and
> infected
> : image file, you do not need to click anything for the exploit to be
> : executed. The display of the image on your screen is all it takes to
> launch
> : it's payload.
> :
> : Financial Times states "Unlike most attacks, which require victims
> to
> : download or execute a suspect file, the new vulnerability makes it
> possible
> : for users to infect their computers with spyware or a virus simply by
> : viewing a web page, e-mail or instant message that contains a
> contaminated
> : image." - at
> : http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html
> :
> : 5) "This issue is not known to be wormable." Not true. An MSN
> Messenger
> : worm has already been reported to be spreading in the wild - see
> : http://www.f-secure.com/weblog/archi...ve-122005.html and
> : http://www.viruslist.com/en/weblog?d...92530&return=1.
> :
> : If I've got anything wrong here (I'm not perfect either )....speak
> up.
> :
> : Jim
> :
> :
> :
>
>

Jim, also I think one cross-posted thread is enough. Over here in the Tablet
PC newsgroup these multiple threads are beginning to be quite a distraction
and I imagine elsewhere too.

--
Josh Einstein
Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
www.tabletoutlook.com

"Jim" <reply@groups.please> wrote in message
news:QeOuf.21107$3I3.4732@bignews5.bellsouth.net.. .
> [Standard Disclaimer: I could always be wrong.....but.....]
>
> In the most current update to Microsoft's Security Advisory about the WMF
> exploit (http://www.microsoft.com/technet/sec...y/912840.mspx),
> I
> believe that there are several mis-statements that should addressed in the
> "Mitigating Factors" section.
>
> 1) "In a Web-based attack scenario, an attacker would have to host a Web
> site that contains a Web page that is used to exploit this vulnerability."
> This is false. Attackers can post infected files to unsecured websites or
> photo blogs like Flickr. Hosting the website would add an unwanted trail
> to
> the hacker and is avoided by all but the most inexperienced hackers.
> While
> script kiddies will host this exploit, the more advanced exploitations are
> likely to pop up on websites NOT hosted by the attackers.
>
> In fact, all you have to do is ciew an infected image onscreen to
> launch the attack against your PC.
>
> 2) "Instead, an attacker would have to persuade users to visit the Web
> site,
> typically by getting them to click a link in an e-mail or Instant
> Messenger
> request that takes users to the attacker's Web site." Also not true.
> Pop-ups can also hold exploits used to take over a user's PC. As you are
> aware, you don;t have to do anything to get a pop-up to launch except
> visit
> a site that may have no knowledge of what is in the pop-up (other than any
> advertising agreements they have with the pop-up target site or ad
> reseller).
>
> Also not taken into account is the rather nasty habit that most
> websites (even sites like www.CNN.com) of hosting third-party images that
> are frequently retrieved from even a 4th, 5th or Xth party site. This
> increases the likelihood of an attack being launched via 3rd party images
> on
> even well-respected sites like www.cnn.com or www.cnet.com .
>
> 3) "In an e-mail based attack involving the current exploit, customers
> would
> have to click on a link in a malicious e-mail or open an attachment that
> exploits the vulnerability." This is not true for any user that reads
> thier
> email in HTML format. HTML emails automatically download and display
> images
> in HTML emails. This means that simply reading an HTML email can infect
> an
> unpatched machine. You don't have to click a thing.
>
> A little lower in the updated advisory Microsoft states "In Windows
> Server 2003, Microsoft Outlook Express uses plain text for reading and
> sending messages by default. When replying to an e-mail message that is
> sent
> in another format, the response is formatted in plain text.", indicating
> that they are aware of the HTML email vulnerability, but not making it
> clear
> that reading emails in HTML format can launch an attack without clicking
> on
> anything.
>
> 4) "At this point, no attachment has been identified in which a user can
> be
> attacked simply by reading mail." This is true and should be
> differentiated
> from #3's mis-statement. An attachment must be clicked to be viewed.
> Note
> the word "attachment". HTML emails (if read in HTML format) load thier
> images from servers ad display them automatically within the email when
> you
> view the HTML email. When reading an HTML email that contains and
> infected
> image file, you do not need to click anything for the exploit to be
> executed. The display of the image on your screen is all it takes to
> launch
> it's payload.
>
> Financial Times states "Unlike most attacks, which require victims to
> download or execute a suspect file, the new vulnerability makes it
> possible
> for users to infect their computers with spyware or a virus simply by
> viewing a web page, e-mail or instant message that contains a contaminated
> image." - at
> http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html
>
> 5) "This issue is not known to be wormable." Not true. An MSN Messenger
> worm has already been reported to be spreading in the wild - see
> http://www.f-secure.com/weblog/archi...ve-122005.html and
> http://www.viruslist.com/en/weblog?d...92530&return=1.
>
> If I've got anything wrong here (I'm not perfect either )....speak up.
>
> Jim
>
>
>

Just some hysterical person who thinks they've discovered something.

--
--------------------------------------------------------------------------------------------------
Goodbye Web Diary
http://margokingston.typepad.com/har....html#comments
=================================================
"Josh Einstein" <josheinstein@hotmail.com> wrote in message news:O53Q79UEGHA.2320@TK2MSFTNGP11.phx.gbl...
> Jim, also I think one cross-posted thread is enough. Over here in the Tablet
> PC newsgroup these multiple threads are beginning to be quite a distraction
> and I imagine elsewhere too.
>
> --
> Josh Einstein
> Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
> www.tabletoutlook.com
>
> "Jim" <reply@groups.please> wrote in message
> news:QeOuf.21107$3I3.4732@bignews5.bellsouth.net.. .
>> [Standard Disclaimer: I could always be wrong.....but.....]
>>
>> In the most current update to Microsoft's Security Advisory about the WMF
>> exploit (http://www.microsoft.com/technet/sec...y/912840.mspx),
>> I
>> believe that there are several mis-statements that should addressed in the
>> "Mitigating Factors" section.
>>
>> 1) "In a Web-based attack scenario, an attacker would have to host a Web
>> site that contains a Web page that is used to exploit this vulnerability."
>> This is false. Attackers can post infected files to unsecured websites or
>> photo blogs like Flickr. Hosting the website would add an unwanted trail
>> to
>> the hacker and is avoided by all but the most inexperienced hackers.
>> While
>> script kiddies will host this exploit, the more advanced exploitations are
>> likely to pop up on websites NOT hosted by the attackers.
>>
>> In fact, all you have to do is ciew an infected image onscreen to
>> launch the attack against your PC.
>>
>> 2) "Instead, an attacker would have to persuade users to visit the Web
>> site,
>> typically by getting them to click a link in an e-mail or Instant
>> Messenger
>> request that takes users to the attacker's Web site." Also not true.
>> Pop-ups can also hold exploits used to take over a user's PC. As you are
>> aware, you don;t have to do anything to get a pop-up to launch except
>> visit
>> a site that may have no knowledge of what is in the pop-up (other than any
>> advertising agreements they have with the pop-up target site or ad
>> reseller).
>>
>> Also not taken into account is the rather nasty habit that most
>> websites (even sites like www.CNN.com) of hosting third-party images that
>> are frequently retrieved from even a 4th, 5th or Xth party site. This
>> increases the likelihood of an attack being launched via 3rd party images
>> on
>> even well-respected sites like www.cnn.com or www.cnet.com .
>>
>> 3) "In an e-mail based attack involving the current exploit, customers
>> would
>> have to click on a link in a malicious e-mail or open an attachment that
>> exploits the vulnerability." This is not true for any user that reads
>> thier
>> email in HTML format. HTML emails automatically download and display
>> images
>> in HTML emails. This means that simply reading an HTML email can infect
>> an
>> unpatched machine. You don't have to click a thing.
>>
>> A little lower in the updated advisory Microsoft states "In Windows
>> Server 2003, Microsoft Outlook Express uses plain text for reading and
>> sending messages by default. When replying to an e-mail message that is
>> sent
>> in another format, the response is formatted in plain text.", indicating
>> that they are aware of the HTML email vulnerability, but not making it
>> clear
>> that reading emails in HTML format can launch an attack without clicking
>> on
>> anything.
>>
>> 4) "At this point, no attachment has been identified in which a user can
>> be
>> attacked simply by reading mail." This is true and should be
>> differentiated
>> from #3's mis-statement. An attachment must be clicked to be viewed.
>> Note
>> the word "attachment". HTML emails (if read in HTML format) load thier
>> images from servers ad display them automatically within the email when
>> you
>> view the HTML email. When reading an HTML email that contains and
>> infected
>> image file, you do not need to click anything for the exploit to be
>> executed. The display of the image on your screen is all it takes to
>> launch
>> it's payload.
>>
>> Financial Times states "Unlike most attacks, which require victims to
>> download or execute a suspect file, the new vulnerability makes it
>> possible
>> for users to infect their computers with spyware or a virus simply by
>> viewing a web page, e-mail or instant message that contains a contaminated
>> image." - at
>> http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html
>>
>> 5) "This issue is not known to be wormable." Not true. An MSN Messenger
>> worm has already been reported to be spreading in the wild - see
>> http://www.f-secure.com/weblog/archi...ve-122005.html and
>> http://www.viruslist.com/en/weblog?d...92530&return=1.
>>
>> If I've got anything wrong here (I'm not perfect either )....speak up.
>>
>> Jim
>>
>>
>>
>
>

Watch Out!

--
Chicken Little

"Chuck" <yadayada@blah.blah> wrote in message
news:dNSdnexxp5bg-yHeRVn-iQ@comcast.com...
> Watch Out!
>
> --
> Chicken Little

It's OK, I have my protection ...
http://zapatopi.net/afdb/

Turkey big

"Mike Fields" <spam_me_not_mr.gadget2@comcast.net> wrote in message
news:%237hJvFZEGHA.3200@tk2msftngp13.phx.gbl...
>
> "Chuck" <yadayada@blah.blah> wrote in message
> news:dNSdnexxp5bg-yHeRVn-iQ@comcast.com...
> > Watch Out!
> >
> > --
> > Chicken Little
>
> It's OK, I have my protection ...
> http://zapatopi.net/afdb/
>
> Turkey big
>

This one looks better
http://scoop.diamondgalleries.com/ne...02_15609_1.jpg

--
Eric Magnus Lensherr

Please stop cross-posting to all these groups. The windowsxp.general
newsgroup should suffice.
--
Chris H.
Microsoft Windows MVP/Tablet PC
Tablet Creations - http://nicecreations.us/
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone


"Chuck" <yadayada@blah.blah> wrote in message
news:uZOdnU3ztIw14iHeRVn-rQ@comcast.com...
> "Mike Fields" <spam_me_not_mr.gadget2@comcast.net> wrote in message
> news:%237hJvFZEGHA.3200@tk2msftngp13.phx.gbl...
>>
>> "Chuck" <yadayada@blah.blah> wrote in message
>> news:dNSdnexxp5bg-yHeRVn-iQ@comcast.com...
>> > Watch Out!
>> >
>> > --
>> > Chicken Little
>>
>> It's OK, I have my protection ...
>> http://zapatopi.net/afdb/
>>
>> Turkey big
>>
>
> This one looks better
> http://scoop.diamondgalleries.com/ne...02_15609_1.jpg
>
> --
> Eric Magnus Lensherr
>
>

Get stuffed. Use the tablet group for this crap.

--
--------------------------------------------------------------------------------------------------
Goodbye Web Diary
http://margokingston.typepad.com/har....html#comments
=================================================
"Chris H." <winxpnews@hotmail.com> wrote in message news:eMhpm2ZEGHA.3896@TK2MSFTNGP10.phx.gbl...
> Please stop cross-posting to all these groups. The windowsxp.general
> newsgroup should suffice.
> --
> Chris H.
> Microsoft Windows MVP/Tablet PC
> Tablet Creations - http://nicecreations.us/
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
>
> "Chuck" <yadayada@blah.blah> wrote in message
> news:uZOdnU3ztIw14iHeRVn-rQ@comcast.com...
>> "Mike Fields" <spam_me_not_mr.gadget2@comcast.net> wrote in message
>> news:%237hJvFZEGHA.3200@tk2msftngp13.phx.gbl...
>>>
>>> "Chuck" <yadayada@blah.blah> wrote in message
>>> news:dNSdnexxp5bg-yHeRVn-iQ@comcast.com...
>>> > Watch Out!
>>> >
>>> > --
>>> > Chicken Little
>>>
>>> It's OK, I have my protection ...
>>> http://zapatopi.net/afdb/
>>>
>>> Turkey big
>>>
>>
>> This one looks better
>> http://scoop.diamondgalleries.com/ne...02_15609_1.jpg
>>
>> --
>> Eric Magnus Lensherr
>>
>>
>
>