OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Harris, Ken (KHarris_at_HIPUSA.com)
Date: Fri Nov 22 2002 - 16:39:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello all on focus-ms,

    Was wondering if anyone had figured out the best practice fix to the
    security flaw described here:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS02-065.asp

    The reason I ask is that Microsoft does not seem to show much confidence in
    this patch; e.g. in the Caveats section, it is implied that if a webpage
    references the older, pre-patch RDS control, dependent upon the IE security
    settings they will either be prompted to install the control, or it will be
    installed silently if Microsoft is added to the Trusted Publishers list.

    We happen to have a mission-critical custom webapp used internally which
    does use RDS, and is in the Trusted Sites zone on our workstations. However,
    I can't guarantee that the developers of this solution will get around to
    patching the server on which this runs, or changing the references in the
    ASP pages. Microsoft is NOT in the Trusted Publishers list on our
    workstation build, although there is nothing keeping our users from clicking
    "Always trust content from Microsoft".

    Am I right in assuming that even if we deploy the patch to our workstations,
    unless the patch is also applied to the webapp and the code is changed, the
    vulnerable control could be reinstalled and the workstation would be again
    vulnerable to this attack from a malicious website? Is there a better
    option? The client/server nature of this vulnerability makes me think that
    we may see a worm written to exploit it soon.

    Thanks in advance.

    Regards,

    Ken Harris

    **********************************************************************
    This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email.

    **********************************************************************