1. This forum section is a read-only archive which contains old newsgroup posts. If you wish to post a query, please do so in one of our main forum sections (here). This way you will get a faster, better response from the members on Motherboard Point.

Microsoft makes errors in Microsoft Security Advisory (912840)

Discussion in 'Tablet PC' started by Jim, Jan 4, 2006.

  1. Jim

    Jim Guest

    [Standard Disclaimer: I could always be wrong.....but.....]

    In the most current update to Microsoft's Security Advisory about the WMF
    exploit (http://www.microsoft.com/technet/security/advisory/912840.mspx), I
    believe that there are several mis-statements that should addressed in the
    "Mitigating Factors" section.

    1) "In a Web-based attack scenario, an attacker would have to host a Web
    site that contains a Web page that is used to exploit this vulnerability."
    This is false. Attackers can post infected files to unsecured websites or
    photo blogs like Flickr. Hosting the website would add an unwanted trail to
    the hacker and is avoided by all but the most inexperienced hackers. While
    script kiddies will host this exploit, the more advanced exploitations are
    likely to pop up on websites NOT hosted by the attackers.

    In fact, all you have to do is ciew an infected image onscreen to
    launch the attack against your PC.

    2) "Instead, an attacker would have to persuade users to visit the Web site,
    typically by getting them to click a link in an e-mail or Instant Messenger
    request that takes users to the attacker's Web site." Also not true.
    Pop-ups can also hold exploits used to take over a user's PC. As you are
    aware, you don;t have to do anything to get a pop-up to launch except visit
    a site that may have no knowledge of what is in the pop-up (other than any
    advertising agreements they have with the pop-up target site or ad
    reseller).

    Also not taken into account is the rather nasty habit that most
    websites (even sites like www.CNN.com) of hosting third-party images that
    are frequently retrieved from even a 4th, 5th or Xth party site. This
    increases the likelihood of an attack being launched via 3rd party images on
    even well-respected sites like www.cnn.com or www.cnet.com .

    3) "In an e-mail based attack involving the current exploit, customers would
    have to click on a link in a malicious e-mail or open an attachment that
    exploits the vulnerability." This is not true for any user that reads thier
    email in HTML format. HTML emails automatically download and display images
    in HTML emails. This means that simply reading an HTML email can infect an
    unpatched machine. You don't have to click a thing.

    A little lower in the updated advisory Microsoft states "In Windows
    Server 2003, Microsoft Outlook Express uses plain text for reading and
    sending messages by default. When replying to an e-mail message that is sent
    in another format, the response is formatted in plain text.", indicating
    that they are aware of the HTML email vulnerability, but not making it clear
    that reading emails in HTML format can launch an attack without clicking on
    anything.

    4) "At this point, no attachment has been identified in which a user can be
    attacked simply by reading mail." This is true and should be differentiated
    from #3's mis-statement. An attachment must be clicked to be viewed. Note
    the word "attachment". HTML emails (if read in HTML format) load thier
    images from servers ad display them automatically within the email when you
    view the HTML email. When reading an HTML email that contains and infected
    image file, you do not need to click anything for the exploit to be
    executed. The display of the image on your screen is all it takes to launch
    it's payload.

    Financial Times states "Unlike most attacks, which require victims to
    download or execute a suspect file, the new vulnerability makes it possible
    for users to infect their computers with spyware or a virus simply by
    viewing a web page, e-mail or instant message that contains a contaminated
    image." - at
    http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html

    5) "This issue is not known to be wormable." Not true. An MSN Messenger
    worm has already been reported to be spreading in the wild - see
    http://www.f-secure.com/weblog/archives/archive-122005.html and
    http://www.viruslist.com/en/weblog?discuss=176892530&return=1.

    If I've got anything wrong here (I'm not perfect either ;) )....speak up.

    Jim
     
    Jim, Jan 4, 2006
    #1
    1. Advertisements

  2. Jim

    Ken Schaefer Guest

    I would send this to if you would like the necessary
    people to look over your comments.

    Cheers
    Ken


    : [Standard Disclaimer: I could always be wrong.....but.....]
    :
    : In the most current update to Microsoft's Security Advisory about the WMF
    : exploit (http://www.microsoft.com/technet/security/advisory/912840.mspx),
    I
    : believe that there are several mis-statements that should addressed in the
    : "Mitigating Factors" section.
    :
    : 1) "In a Web-based attack scenario, an attacker would have to host a Web
    : site that contains a Web page that is used to exploit this vulnerability."
    : This is false. Attackers can post infected files to unsecured websites or
    : photo blogs like Flickr. Hosting the website would add an unwanted trail
    to
    : the hacker and is avoided by all but the most inexperienced hackers.
    While
    : script kiddies will host this exploit, the more advanced exploitations are
    : likely to pop up on websites NOT hosted by the attackers.
    :
    : In fact, all you have to do is ciew an infected image onscreen to
    : launch the attack against your PC.
    :
    : 2) "Instead, an attacker would have to persuade users to visit the Web
    site,
    : typically by getting them to click a link in an e-mail or Instant
    Messenger
    : request that takes users to the attacker's Web site." Also not true.
    : Pop-ups can also hold exploits used to take over a user's PC. As you are
    : aware, you don;t have to do anything to get a pop-up to launch except
    visit
    : a site that may have no knowledge of what is in the pop-up (other than any
    : advertising agreements they have with the pop-up target site or ad
    : reseller).
    :
    : Also not taken into account is the rather nasty habit that most
    : websites (even sites like www.CNN.com) of hosting third-party images that
    : are frequently retrieved from even a 4th, 5th or Xth party site. This
    : increases the likelihood of an attack being launched via 3rd party images
    on
    : even well-respected sites like www.cnn.com or www.cnet.com .
    :
    : 3) "In an e-mail based attack involving the current exploit, customers
    would
    : have to click on a link in a malicious e-mail or open an attachment that
    : exploits the vulnerability." This is not true for any user that reads
    thier
    : email in HTML format. HTML emails automatically download and display
    images
    : in HTML emails. This means that simply reading an HTML email can infect
    an
    : unpatched machine. You don't have to click a thing.
    :
    : A little lower in the updated advisory Microsoft states "In Windows
    : Server 2003, Microsoft Outlook Express uses plain text for reading and
    : sending messages by default. When replying to an e-mail message that is
    sent
    : in another format, the response is formatted in plain text.", indicating
    : that they are aware of the HTML email vulnerability, but not making it
    clear
    : that reading emails in HTML format can launch an attack without clicking
    on
    : anything.
    :
    : 4) "At this point, no attachment has been identified in which a user can
    be
    : attacked simply by reading mail." This is true and should be
    differentiated
    : from #3's mis-statement. An attachment must be clicked to be viewed.
    Note
    : the word "attachment". HTML emails (if read in HTML format) load thier
    : images from servers ad display them automatically within the email when
    you
    : view the HTML email. When reading an HTML email that contains and
    infected
    : image file, you do not need to click anything for the exploit to be
    : executed. The display of the image on your screen is all it takes to
    launch
    : it's payload.
    :
    : Financial Times states "Unlike most attacks, which require victims to
    : download or execute a suspect file, the new vulnerability makes it
    possible
    : for users to infect their computers with spyware or a virus simply by
    : viewing a web page, e-mail or instant message that contains a contaminated
    : image." - at
    : http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
    :
    : 5) "This issue is not known to be wormable." Not true. An MSN Messenger
    : worm has already been reported to be spreading in the wild - see
    : http://www.f-secure.com/weblog/archives/archive-122005.html and
    : http://www.viruslist.com/en/weblog?discuss=176892530&return=1.
    :
    : If I've got anything wrong here (I'm not perfect either ;) )....speak up.
    :
    : Jim
    :
    :
    :
     
    Ken Schaefer, Jan 4, 2006
    #2
    1. Advertisements

  3. Jim

    Jim Guest

    Thanks.....I will send it and let you know what they say.

    Jim

     
    Jim, Jan 4, 2006
    #3
  4. Jim, also I think one cross-posted thread is enough. Over here in the Tablet
    PC newsgroup these multiple threads are beginning to be quite a distraction
    and I imagine elsewhere too.

    --
    Josh Einstein
    Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
    www.tabletoutlook.com

     
    Josh Einstein, Jan 4, 2006
    #4
  5. Jim

    David Candy Guest

    Just some hysterical person who thinks they've discovered something.

    --
    --------------------------------------------------------------------------------------------------
    Goodbye Web Diary
    http://margokingston.typepad.com/harry_version_2/2005/12/thank_you_and_g.html#comments
    =================================================
     
    David Candy, Jan 4, 2006
    #5
  6. Jim

    Chuck Guest

    Watch Out!
     
    Chuck, Jan 5, 2006
    #6
  7. Jim

    Mike Fields Guest

    Mike Fields, Jan 5, 2006
    #7
  8. Jim

    Chuck Guest

    Chuck, Jan 5, 2006
    #8
  9. Jim

    David Candy Guest

    There I fixed it so it will work.

    --
    --------------------------------------------------------------------------------------------------
    Goodbye Web Diary
    http://margokingston.typepad.com/harry_version_2/2005/12/thank_you_and_g.html#comments
    =================================================
     
    David Candy, Jan 5, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.