I preface this response by first saying that I have great respect for Mr.
Guninski's capabilities in this arena.

That being said, I feel that this bug should be downgraded to Medium. It is
not "high risk" due to too many mitigating factors. First of which, you
have to have active scripting turned on in the Internet Zone. I am aware
that this is by default, but zone policies should be in place in any
business environment to change this. Even if active scripting is enabled,
the malicious host has to get the person to visit the site- they then have
to know the username and location of the exchange server. While
pre-planning can accomplish this (socially), a particular user would have to
be targeted.

Please no flames telling me how easy it is to get people to visit a site...
I am well aware. But since you have to be specifically targeted for this
to work, and the person behind the scope would have to have specific
knowledge about you, that makes this medium risk, if not low insofar as the
community is concerned. If you are being singled out as a target, then you
have other problems- of course, this sort of thing does not help you any.

If I could set up a site that pulled ANY user's info that visited it, even
if it did require active scripting, then that would indeed be high risk- but
this does not.

If you have a malicious insider, then you have FAR bigger problems. I am
not using 'bigger problems' as a screen to obviate responsibility in the
matter- I just think it should be categorized properly.

---------------------------------
Attonbitus Deus
ThorHammerofGod.Com

----- Original Message -----
From: "Georgi Guninski" <guninskiGUNINSKI.COM>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Wednesday, March 28, 2001 3:39 AM
Subject: Security bugs in interactions between IE 5.x, IIS 5.0 and Exchange
2000

> Georgi Guninski security advisory #40, 2001
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]