Re: MS02-066 - fixes, gaps and incorrect statements
From: GreyMagic Software (security@GREYMAGIC.COM)
Date: 11/25/02
- Previous message: Eric Schultze: "Updated version of HFNetChk now available"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Nov 2002 19:07:32 +0200 From: GreyMagic Software <security@GREYMAGIC.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
>In MS02-066 Microsoft claim they've fixed several Cross Domain
>Verification problems. Unfortunately, they are not really clear on
>which vulnerabilities they fix.
Fixed by MS02-066:
- javascript: URLs in sub-frames (Who framed).
- IFrame's "Document" property (D-Day).
- showModalDialog caching.
- createRange caching (partial).
- elementFromPoint caching.
- getElementById caching.
- getElementsByName caching.
- getElementsByTagName caching.
- execCommand caching.
- location.assign caching.
- location.replace caching.
- document.write caching.
- %2F URL encoding.
Not fixed:
- external caching.
- clipboardData caching.
- Many older ones.
Incorrect statements:
Microsoft is down-playing the impact of the vulnerabilities they talk about
in MS02-066.
"The vulnerabilities would only allow an attacker to read files on the user’
s local system that can be rendered in a browser window, such as image
files, HTML files and text files."
This is incorrect, the vulnerabilities would allow an attacker to read any
type of file, regardless of whether it can be rendered in the browser or
not, by using the XMLHTTP object.
Then they go on to say:
"The vulnerabilities would not provide any way for an attacker to put a
program of their choice onto another user’s system."
"An attacker would need to know the name and location of any file on the
system to successfully invoke it. "
"The vulnerabilities could only be used to view or invoke local executables.
It could not be used to create, delete, or modify arbitrary or malicious
files."
All of these 3 statements are incorrect. Using the HTML Help control, it is
possible to execute arbitrary commands as demonstrated by Andreas Sandblad
at http://online.securityfocus.com/archive/1/298748. This includes the
execution of arbitrary WSH script, which is able to perform all of the
actions outlined as impossible above.
We reported these problems to Microsoft and a new revision of the bulletin
should be released soon.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Demonstrate your knowledge and understanding of core IT Security, become
TICSA certified.
Are you responsible for IT security in job function, but not necessarily
in title? Do you want to prove your IT security knowledge and increase
opportunities? Interested? Visit;
http://www.trusecure.com/solutions/certifications/ticsa/
for more information.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Doug Wyatt: "MS02-050 updated"
- Previous message: Eric Schultze: "Updated version of HFNetChk now available"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
