OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Microsoft Product Security (secnotifMICROSOFT.COM)
Date: Wed Apr 18 2001 - 21:27:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The following is a Security Bulletin from the Microsoft Product Security
    Notification Service.

    Please do not reply to this message, as it was sent from an unattended
    mailbox.
                        ********************************

    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title: WebDAV Service Provider Can Allow Scripts to Levy
                Requests as User
    Date: 18 April 2001
    Software: Microsoft Data Access Component Internet Publishing
                Provider
    Impact: Web-based script could levy WebDAV requests on the user's
                behalf.
    Bulletin: MS01-022

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-022.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    The Microsoft Data Access Component Internet Publishing Provider
    provides access to WebDAV resources over the Internet. By design, it
    should differentiate between requests made by a user and those made
    by
    a script running in the user's browser. However, because of an
    implementation flaw, it handles all requests in the security context
    of
    the user. As a result, if a user browsed to a web page or opened an
    HTML e-mail that contained script, that script could access web-based
    resources as the user.

    The specific actions an attacker could take via this vulnerability
    would depend on the Web-based resources available to the user, and
    the
    user's privileges on them. However, it is likely that at a minimum,
    the
    attacker could browse the user's intranet, and potentially access
    web-based e-mail as well.

    Mitigating Factors:
    ====================
     - The attacker would need to possess significant inside information
    in
       order to carry out a successful attack, such as server names,
    folder
       structures, and other user- and network-specific information. This
       vulnerability would therefore be most likely used as part of an
       insider attack.
     - The vulnerability could not be exploited against stand-alone
       machines.
     - The vulnerability could not be exploited if Active Scripting was
       disabled in the Security Zone the script opened in.

    Patch Availability:
    ===================
     - A patch is available to fix this vulnerability. Please read the
       Security Bulletin
       http://www.microsoft.com/technet/security/bulletin/ms01-022.asp
       for information on obtaining this patch.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
    "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
    SHALL
    MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
    WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
    LOSS
    OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
    OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
    DAMAGES.
    SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
    CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
    NOT
    APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.3

    iQEVAwUBOt5M+Y0ZSRQxA/UrAQHf8gf/cAPS3JZrCMF5ukQjd/S3wXs1obvgZhhj
    Ve1aPjx7cNBEzOzIo9bWcRig1GQ2XBlntbgyzgV/f53ZcsvhKjiuUubNES0fQ6NX
    7JWwoTd+cY8pgazSp84GAmbRNtJQowa7Klpn93Mq7J3K3l3qn/DThMuuWMMDxOWH
    lcTvnptyfL1HLI/q+8DaLjiSLaqA1folR9DPZ7s/w3BbYZcNc68MCrFRwdWk775p
    fnHXjmpLWv1eiSiUdOS43g0pE9MydJ9kpz+D5e/GrWIJK1lKJm0G8jzNtIeFTNWT
    IV5AlNDbmIT8M8R9r3643EymdgcrdJUoqpPN+5I+HLRusccrCyXpCw==
    =NrUA
    -----END PGP SIGNATURE-----

       *******************************************************************
    You have received this e-mail bulletin as a result of your registration
    to the Microsoft Product Security Notification Service. You may
    unsubscribe from this e-mail notification service at any time by sending
    an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTANNOUNCE.MICROSOFT.COM
    The subject line and message body are not used in processing the request,
    and can be anything you like.

    To verify the digital signature on this bulletin, please download our PGP
    key at http://www.microsoft.com/technet/security/notify.asp.

    For more information on the Microsoft Security Notification Service
    please visit http://www.microsoft.com/technet/security/notify.asp. For
    security-related information about Microsoft products, please visit the
    Microsoft Security Advisor web site at http://www.microsoft.com/security.

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net