Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Alert: Microsoft Security Bulletin - MS03-017
From: Russ (Russ.CooperRC.ON.CA)
Date: Wed May 07 2003 - 14:26:50 CDT
Unfortunately it would appear that Microsoft Security Response Center has lost all of the people capable of making reasonable statements regarding, in this case, Mitigators.
From MS03-017 - Mitigating factors
"By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update, has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to automatically exploit these vulnerabilities."
This is extremely misleading. We have only had viruses for 8+ years now that rely upon users clicking on something in their email. Whether the attack was crafted to be automated or not, if a URL is present and the user chooses to click on it, it will be successful even if OE 6 or O2K are used, even if the Outlook Email Security Update is in place. Microsoft themselves acknowledge this in their Technical description section.
"The attacker would have no way to force users to visit a malicious web site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site."
Obviously this is totally false, and they even say so in their own Technical description section;
"However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack that could both place, then launch the malicious executable without the user having to click on a URL contained in an e-mail."
Don't they read their own writings?
Granted, they list it as "Critical", but then they should also ensure they are not totally misleading people who read the "Mitigating factors" section.
For MS03-017, there's only one mitigating factor MS can offer...make sure you're running Media Player 9.0 (and by the way, it doesn't matter whether its running or not, or whether its ever been used, if something tries to invoke it you will be happily walked through a wizard to get it running...its on every system unless you purposefully removed the binaries!)
Russ - NTBugtraq Editor
Delivery co-sponsored by IP3 Inc.
SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
Do not miss your opportunity to discover solutions to what our participants
have identified as their top 5 IT Security Challenges. You will return to
work better prepared to put into place an effective security strategy
utilizing the latest security tools, bookmarks and URL's.