Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Thor Larholm (lists.netsys.com_at_jscript.dk)
Date: Thu Dec 05 2002 - 07:42:52 CST
----- Original Message -----
From: "Thor Larholm" <thorpivx.com>
Sent: Thursday, December 05, 2002 2:41 PM
Subject: Notes on MS02-068, extensive downplaying of severity
> Following the release of the cumulative MS02-066 patch from the previous
> week, Microsoft has released yet another cumulative patch for Internet
> Explorer - MS02-068, which can be found at
> The sole vulnerability that MS02-068 patches is the "external object
> caching" vulnerability discovered by GreyMagic Software. The rater
> surprising aspects of this bulletin is the extensive downplaying of
> and the incorrect mitigating factors.
> Microsoft has given this vulnerability a maximum severity rating of
> "Moderate". Great, so arbitrary command execution, local file reading and
> complete system compromise is now only moderately severe, according to
> Moving on to the technical description, we see yet more inaccuracies. The
> entire first paragraph is a falsum:
> "Exploiting the vulnerability could enable an attacker to read, but not
> change, any file on the user's local computer. In addition, the attacker
> could invoke an executable that was already present on the local system.
> attacker would need to know the exact location of the executable, and
> not be able to pass parameters to it. Microsoft is not aware of any
> executable that ships by default as part of Windows and, when run without
> parameters, could be dangerous. "
> Allow me to rephrase:
> Exploiting the vulnerability could enable an attacker to perform any
> on the local computer that the user being exploited can perform. This
> includes, but is not limited to, reading and changing any file on the
> local computer, forcefully placing arbitrary files on the system in any
> location and invoking any executable on the system both with and without
> Further down we find yet more inaccuracies:
> "Without the ability to pass parameters, it's unlikely that an attacker
> could do much. For instance, although the attacker could run the command
> prompt, he couldn't pass a command (e.g., format c:) to it. "
> "This vulnerability provides no way for an attacker to transfer a program
> their choice to the user's system. "
> Since we can already create and execute arbitrary command scripts on the
> machine, I fail to see how the above can be remotely accurate.
> this is as simple as creating and executing an automated FTP script, or
> merely recreating an EXE file from an embedded string in the HTML.
> Microsoft are very much aware of this, and even modified the MS02-066
> bulletin (following the post from GreyMagic on Bugtraq) to provide
> assistance in mitigating how the HTML Help control can execute commands in
> the local zone.
> It seems like Microsoft are deliberately downplaying the severity of their
> vulnerabilities in an attempt to gain less bad press. It sure would look
> to release 2 critical cumulative updates in just 2 weeks, but that is
> exactly what has been done. As it stands now, the bulletin is released and
> most journalists willing to comment have already noticed the "Moderate"
> label and the extensive list of (incorrect) mitigating factors, and quite
> likely will not write anything on just how severe this really is. I doubt
> most people care to read the revisions to the bulletin that will come
> There are currently 18 unpatched publicly known vulnerabilities in
> Explorer, of which I have labelled 6 as severe.
> Thor Larholm, Security Researcher
> PivX Solutions, LLC
> Strike Now, StrikeFirst!
Full-Disclosure - We believe in it.