MS02-023 and claims about its adequacy

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 05/17/02


Date:         Fri, 17 May 2002 15:04:57 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

According to Microsoft claims by GreyMagic, that MS02-023 does not fully address issues that the bulletin states it fixes, are not accurate. Microsoft have recently been made aware of variants to the original issues presented to them, and these new variants do appear to affect the same procedures fixed by MS02-023. However, the variants use vectors which were not part of the original vulnerabilities and, therefore, not fixed. Now that Microsoft has been made aware of these variants, they are working on fixes for those new issues.

As you can imagine, crafting variants is not an absolute task, nor easy or quick, and in fix development there must be a cut-off point at which time a fix goes into testing, packaging, signing, etc...

Microsoft assure me they will not be releasing a revised binary for MS02-023. When these variants are fixed, they will be released either as part of a new hotfix or in the next cumulative IE patch. Administrators should not believe the binary currently available will be revised.

This is not intended to be a slam against GreyMagic, nor is it meant to be a ringing endorsement of MS' ability to discover variants. Clearly GreyMagic has found some that MS has not. But MS does not have the luxury of time that GreyMagic does in these scenarios. Since GreyMagic opts to publish their findings directly to lists before MS has been able to develop a patch, its no wonder that Microsoft has to play catch-up. In an ideal world, GreyMagic would prefer to test Microsoft's patches prior to their release, and prior to disclosure of vulnerabilities, so that the patch could be held up when GreyMagic discovers new variants that Microsoft has not. I can understand why GreyMagic might not want to do this, but it would be preferred by the Administrators who find out on the day a patch is released that new vulnerabilities exist that aren't addressed by said patch.

Cheers,
Russ - NTBugtraq Editor