----- Original Message -----
From: "Thor Larholm" <thorpivx.com>
To: <bugtraqsecurityfocus.com>
Sent: Thursday, December 05, 2002 2:41 PM
Subject: Notes on MS02-068, extensive downplaying of severity

> Following the release of the cumulative MS02-066 patch from the previous
> week, Microsoft has released yet another cumulative patch for Internet
> Explorer - MS02-068, which can be found at
> http://www.microsoft.com/technet/security/bulletin/MS02-068.asp
>
> The sole vulnerability that MS02-068 patches is the "external object
> caching" vulnerability discovered by GreyMagic Software. The rater
> surprising aspects of this bulletin is the extensive downplaying of
severity
> and the incorrect mitigating factors.
>
> Microsoft has given this vulnerability a maximum severity rating of
> "Moderate". Great, so arbitrary command execution, local file reading and
> complete system compromise is now only moderately severe, according to
> Microsoft.
>
> Moving on to the technical description, we see yet more inaccuracies. The
> entire first paragraph is a falsum:
>
> "Exploiting the vulnerability could enable an attacker to read, but not
> change, any file on the user's local computer. In addition, the attacker
> could invoke an executable that was already present on the local system.
The
> attacker would need to know the exact location of the executable, and
would
> not be able to pass parameters to it. Microsoft is not aware of any
> executable that ships by default as part of Windows and, when run without
> parameters, could be dangerous. "
>
> Allow me to rephrase:
> Exploiting the vulnerability could enable an attacker to perform any
action
> on the local computer that the user being exploited can perform. This
> includes, but is not limited to, reading and changing any file on the
user's
> local computer, forcefully placing arbitrary files on the system in any
> location and invoking any executable on the system both with and without
> parameters.
>
> Further down we find yet more inaccuracies:
> "Without the ability to pass parameters, it's unlikely that an attacker
> could do much. For instance, although the attacker could run the command
> prompt, he couldn't pass a command (e.g., format c:) to it. "
> "This vulnerability provides no way for an attacker to transfer a program
of
> their choice to the user's system. "
>
> Since we can already create and execute arbitrary command scripts on the
> machine, I fail to see how the above can be remotely accurate.
Accomplishing
> this is as simple as creating and executing an automated FTP script, or
> merely recreating an EXE file from an embedded string in the HTML.
>
> Microsoft are very much aware of this, and even modified the MS02-066
> bulletin (following the post from GreyMagic on Bugtraq) to provide
> assistance in mitigating how the HTML Help control can execute commands in
> the local zone.
>
> It seems like Microsoft are deliberately downplaying the severity of their
> vulnerabilities in an attempt to gain less bad press. It sure would look
bad
> to release 2 critical cumulative updates in just 2 weeks, but that is
> exactly what has been done. As it stands now, the bulletin is released and
> most journalists willing to comment have already noticed the "Moderate"
> label and the extensive list of (incorrect) mitigating factors, and quite
> likely will not write anything on just how severe this really is. I doubt
> most people care to read the revisions to the bulletin that will come
later.
>
> There are currently 18 unpatched publicly known vulnerabilities in
Internet
> Explorer, of which I have labelled 6 as severe.
>
> http://www.pivx.com/larholm/unpatched/
>
>
> Regards
> Thor Larholm, Security Researcher
> PivX Solutions, LLC
>
> Strike Now, StrikeFirst!
> http://www.pivx.com/sf.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]