Re: Alert: Microsoft Security Bulletin - MS02-059

From: Jeremy Epstein (jepstein@WEBMETHODS.COM)
Date: 10/17/02

Date:         Thu, 17 Oct 2002 09:33:03 -0400
From: Jeremy Epstein <jepstein@WEBMETHODS.COM>

Microsoft really underplays the risk in one important area when they say
(under Mitigating Factors):

> - The user could always view the field codes or external updates.
> The field codes or external updates used in the attack can be
> revealed, as they are only hidden to prevent cluttering the
> document when it is being viewed or edited. A method of checking
> documents for additional undesired information is described in
> the Frequently Asked Questions below.

If you put the field code in 1 point hidden text in a footnote (or somewhere
else pretty obscure), it's highly unlikely anyone would ever see it. Very
few Word users understand fields or hidden text, so it's easy to put fields
in places they'll never be found.


P.S. They also missed a bit of template editing in the alert, which says
just below the "Severity Rating": "The above assessment is based on the
types of systems affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the vulnerability would have on
them. [One or two sentences explaining the rationale for the rating. Don't
justify every point; just give high-level info that puts the issue in