Re: MS02-023 and claims about its adequacy

From: GreyMagic Software (security@GREYMAGIC.COM)
Date: 05/17/02

Date:         Fri, 17 May 2002 23:24:28 +0200
From: GreyMagic Software <security@GREYMAGIC.COM>

>According to Microsoft claims by GreyMagic, that MS02-023 does not
>fully address issues that the bulletin states it fixes, are not
>accurate. Microsoft have recently been made aware of variants to the
>original issues presented to them, and these new variants do appear
>to affect the same procedures fixed by MS02-023. However, the
>variants use vectors which were not part of the original
>vulnerabilities and, therefore, not fixed.

This is simply not true.

As we've said in our advisory, and as we've said in all posts since, this is
the EXACT SAME core issue that Thor Larholm presented in his TL002 advisory.

Microsoft may find it comfortable to call this a "different issue," but the
facts show otherwise. If Microsoft took the time to see whether dialogArguments
gets passed to redirected dialogs in other versions than IE6, they would have
found the same thing we did.

Evidently, Microsoft didn't do their due research on this bug and are now
looking to blame the messenger. Well, blaming the messenger is nothing new for
Microsoft, but claiming this to be a "different issue" should come as an insult
to anyone who can see beyond her snout.

>As you can imagine, crafting variants is not an absolute task, nor
>easy or quick, and in fix development there must be a cut-off point
>at which time a fix goes into testing, packaging, signing, etc...

Again, we are in disagreement. In this case it is extremely easy to see whether
other versions are vulnerable, not to mention that it is a job that has to be
done, even if it's "not easy". There is simply no justification for the lack of
basic testing in this case, none.

>Clearly GreyMagic has found some that MS has not. But MS does not
>have the luxury of time that GreyMagic does in these scenarios. Since

Luxury of time?

For those who may not have noticed, it took only 2 hours for us to release our
GM#001-AX advisory after Thor's original TL002 advisory. Two hours, including
discovering, testing, writing the advisory and putting in a demonstration.
Microsoft had 2 months and the information right in front of their face, yet
somehow they managed to miss it. Time is definitely not a big factor.

>GreyMagic opts to publish their findings directly to lists before MS
>has been able to develop a patch, its no wonder that Microsoft has to

That's right, we prefer to let people know that they are vulnerable so they can
take immediate action. Microsoft prefers to keep these little facts to itself,
letting organizations and people stay vulnerable for months at a time until a
patch finally arrives. And in many cases, arrives broken.

>play catch-up. In an ideal world, GreyMagic would prefer to test
>Microsoft's patches prior to their release, and prior to disclosure
>of vulnerabilities, so that the patch could be held up when GreyMagic
>discovers new variants that Microsoft has not. I can understand why
>GreyMagic might not want to do this, but it would be preferred by the

We never received a request from Microsoft to test their patches; if one should
arrive we would be happy to consider it.

>Administrators who find out on the day a patch is released that new
>vulnerabilities exist that aren't addressed by said patch.

Not new vulnerabilities, the exact same vulnerabilities, only in different

Whether this was meant to be a "slam against GreyMagic" or not, we find
Microsoft's defensive line quite disturbing. Instead of admitting to its
blatantly obvious errors, Microsoft avoids responsibility for its pitfalls.

        - GMS.