Re: Alert: Microsoft Security Bulletin - MS03-023
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Thu, 10 Jul 2003 00:46:04 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Float like a Dove, or Sting like a Bee...
Ok, here's another example of "Trustworthy Computing".
For quite some time Microsoft has offered up, as a mitigator, the fact that the Outlook Email Security Update and Outlook 2002, and/or Outlook Express 6.x, in default mode, are great at thwarting any attack which involves HTML-based email and scripting. All of those environments render email in the Restricted Sites Zone with scripting disabled.
But when I read MS03-023, it stood out like a sore thumb the fact that this was not offered as a mitigator. The attack, as described by DigitalScream, required scripting after all. So why wouldn't running Outlook in the Restricted Sites Zone prevent such an email-borne attack?
Maybe its the fact that none of the 30+ vulnerabilities which have made possible attacks via HTML-based email (over the past two years) have ever come to fruition. So maybe email-AV are bearing fruit? Of course the overwhelming majority of zombies aren't corporate clients (those that have email-AV.) All possible, but not excusable, reasons for not offering the mitigator.
I can't believe that the MSRC has become so void of knowledge that they believe its not important to impress the value of such great MS tools...but, they all seem to have forgotten so many other legacies, maybe its true.
On its face, its difficult to believe that such mitigators will not thwart an attack against this vulnerability. But I called the new Manager of the MSRC, and asked him this specifically more than 7 hours ago. He told me he'd be back to me in 5 minutes. The new information I have for you is as follows;
<media inflammatory on>
1. 5 minutes is longer in Redmond than anywhere else I've dealt with (and that's a lot of places.)
2. It must be true, you can get this exploit to run despite all of the Trust Zone facilities in MS email products (and Service Packs), otherwise, they'd have been able to say quite quickly that it was simply a mitigator they overlooked (umm, the most important one I'd say.)
3. They're assessment as "Critical" is, IMO, understated. If a scripting HTML-based email can by-pass such security measures that prevent such exploitation, they need to come up with a new category.
4. Expect "security researchers" to divulge far more really soon. Anyone who can come up with something which can by-pass the security restrictions imposed by the Restricted Sites Zone is not going to leave it at that.
</media inflammatory off>
Now of course its possible that the newly formed Microsoft Security Response Center are simply people with, um, no clue? But to my way of thinking, unless their only customers are people who blindly take updates from WU without thinking (e.g. don't have to deploy a patch to 10's of 1000's of systems), they should be able to answer a simple question like "did you just forget to mention an important mitigator?".
This message comes after 6 calls to the MSRC.
Russ - NTBugtraq Editor
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to