----- Original Message ----- From: "Thor Larholm" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 05, 2002 2:41 PM Subject: Notes on MS02-068, extensive downplaying of severity
> Following the release of the cumulative MS02-066 patch from the previous > week, Microsoft has released yet another cumulative patch for Internet > Explorer - MS02-068, which can be found at > http://www.microsoft.com/technet/security/bulletin/MS02-068.asp > > The sole vulnerability that MS02-068 patches is the "external object > caching" vulnerability discovered by GreyMagic Software. The rater > surprising aspects of this bulletin is the extensive downplaying of severity > and the incorrect mitigating factors. > > Microsoft has given this vulnerability a maximum severity rating of > "Moderate". Great, so arbitrary command execution, local file reading and > complete system compromise is now only moderately severe, according to > Microsoft. > > Moving on to the technical description, we see yet more inaccuracies. The > entire first paragraph is a falsum: > > "Exploiting the vulnerability could enable an attacker to read, but not > change, any file on the user's local computer. In addition, the attacker > could invoke an executable that was already present on the local system. The > attacker would need to know the exact location of the executable, and would > not be able to pass parameters to it. Microsoft is not aware of any > executable that ships by default as part of Windows and, when run without > parameters, could be dangerous. " > > Allow me to rephrase: > Exploiting the vulnerability could enable an attacker to perform any action > on the local computer that the user being exploited can perform. This > includes, but is not limited to, reading and changing any file on the user's > local computer, forcefully placing arbitrary files on the system in any > location and invoking any executable on the system both with and without > parameters. > > Further down we find yet more inaccuracies: > "Without the ability to pass parameters, it's unlikely that an attacker > could do much. For instance, although the attacker could run the command > prompt, he couldn't pass a command (e.g., format c:) to it. " > "This vulnerability provides no way for an attacker to transfer a program of > their choice to the user's system. " > > Since we can already create and execute arbitrary command scripts on the > machine, I fail to see how the above can be remotely accurate. Accomplishing > this is as simple as creating and executing an automated FTP script, or > merely recreating an EXE file from an embedded string in the HTML. > > Microsoft are very much aware of this, and even modified the MS02-066 > bulletin (following the post from GreyMagic on Bugtraq) to provide > assistance in mitigating how the HTML Help control can execute commands in > the local zone. > > It seems like Microsoft are deliberately downplaying the severity of their > vulnerabilities in an attempt to gain less bad press. It sure would look bad > to release 2 critical cumulative updates in just 2 weeks, but that is > exactly what has been done. As it stands now, the bulletin is released and > most journalists willing to comment have already noticed the "Moderate" > label and the extensive list of (incorrect) mitigating factors, and quite > likely will not write anything on just how severe this really is. I doubt > most people care to read the revisions to the bulletin that will come later. > > There are currently 18 unpatched publicly known vulnerabilities in Internet > Explorer, of which I have labelled 6 as severe. > > http://www.pivx.com/larholm/unpatched/ > > > Regards > Thor Larholm, Security Researcher > PivX Solutions, LLC > > Strike Now, StrikeFirst! > http://www.pivx.com/sf.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
