Re: [Full-Disclosure] Microsoft and Security

From: Brian Toovey (btoovey_at_igxglobal.com)
Date: 06/25/04

  • Next message: Eric Paynter: "Re: [Full-Disclosure] Microsoft Identity Integration Server" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 25 Jun 2004 16:47:08 -0400

    anybody got a packet dump of the attack yet so we can regex out this
    vuln against IIS?

    It is quite terrible that this IE vuln has gone on now for two weeks -
    from what I undserstand this is a "product feature", and thats why they
    havent addressed it.

    We filter our local redirects at our proxy to protect against it. Your
    thoughts on that method equiv?

    Brian

    On Fri, 2004-06-25 at 14:53, http-equiv@excite.com wrote:

    > Where is Microsoft now "protecting their customers" as they love
    > to bray? Should not someone in authority of this public company
    > step forward and explain themselves at this time?
    >
    > All of sudden panic is being created across the WWW with "IIS
    > Exploit Infecting Web Site Visitors With Malware", "Mysterious
    > Attack Hits Web Servers", "Researchers warn of infectious Web
    > sites" all stemming from all news accounts from an
    > unpatched "problem" with Internet Explorer now two weeks old and
    > counting, which in fact in reality stems from 10 months ago,
    > that being the adodb.stream safe for scripting control with
    > write capabilities.
    >
    > What exactly is being done about this? Nothing. What does
    > multiple billions of dollars buy you today. Nothing. However for
    > $20 million you can almost fly to the moon.
    >
    > Someone ought to step forward and explaini what exactly is
    > happening at this public company. The great "protector of their
    > customers". One might even suggest that their entire "security"
    > mandate be re-examined. What exactly do they consider a
    > vulnerability? Something that suits them or something that's
    > cost effective to fix. So what, a few people lose their
    > identities, have a few dollars extracted from their bank
    > accounts, have their home pages reset, we'll fix it when it
    > suits us as we have to be on budget this quarter. The Big Boss
    > says $40 billion isn't enough this year.
    >
    > A vulnerability:
    >
    > http://www.microsoft.com/technet/archive/community/columns/securi
    > ty/essays/vulnrbl.mspx
    >
    > "A security vulnerability is a flaw in a product that makes it
    > infeasible even when using the product properlyto prevent an
    > attacker from usurping privileges on the user's system,
    > regulating its operation, compromising data on it, or assuming
    > ungranted trust."
    >
    > what this gibberish? For the past 10 months the adobd.stream
    > object is capable of writing files to the "all important
    > customer's" computer. It has real world consequences. It rapes
    > their computer. Does it fit into the gibberish custom
    > definition. Plain and simple: "A security vulnerability is a
    > flaw in a product that makes it infeasible". What kind of
    > language is this. Reads like the financial department conjured
    > it up.
    >
    > Disabling scripting won't solve it. Putting sites in one of the
    > myriad of "zones' won't solve it. Internet Explorer can
    > trivially be fooled into operating in the less than secure so-
    > called "intranet zone" and it can be guided there remotely.
    >
    > What's happening here. Where is the Microsoft representative
    > explaining all of this to the shareholders and "customers" they
    > so dearly wish to protect. This is unacceptable. Someone must
    > be held accountable.

    Brian Toovey
    Senior Security Analyst
    igxglobal

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Eric Paynter: "Re: [Full-Disclosure] Microsoft Identity Integration Server"

    Relevant Pages

    • Re: Why Penetration Test?
      ... attack and not just to verify attacks are possible. ... A vuln tested isn't ... Patch is not the opposite of Vulnerability. ... A pen test is about creatively determining new ...
      (Pen-Test)
    • re[2]: Intrusion Risk Assessment
      ... ** ISS Site Protector can fuse ISS Scanner and ISS Real Secure information ... ** Several NIDS consider service banners for some of their attack checks. ... event and a vulnerability. ... >which servers are apache and which are IIS. ...
      (Focus-IDS)
    • Re: win2k3 and isa2k vulnerability scan
      ... >I ran a nessus (free open source vulnerability scanner) ... > identify the version of ISA and IIS that i was running. ... sledgehammer approach of "I've got an attack, ...
      (microsoft.public.security)
    • Re: I was hacked
      ... Only me noticing that the requests seemed to come from a LAN? ... To secure IIS somewhat, remove all the virtual directories even if they are ... > Do you have some kind of application level firewall on this machine? ... a series of attempts to attack IIS that the IIS log claimed were coming ...
      (microsoft.public.inetserver.iis.security)
    • Re: I was hacked
      ... I suspect the firewall looks like a typical address that a NAT ... use Apache to proxypass all requests to IIS and that way I can have some ... script to check if the url is valid and if so execute the script... ... :>: a series of attempts to attack IIS that the IIS log claimed were ...
      (microsoft.public.inetserver.iis.security)
    • Quantcast