Re: Claims Regarding the MS02-023 Security Bulletin

From: Mark Strelecki, ACP (be6-506@nospam.strelecki.com)
Date: 05/20/02 

From: " Mark Strelecki, ACP" <be6-506@nospam.strelecki.com>
Date: Mon, 20 May 2002 15:43:40 -0400

Sorry David -

I tried FOUR TIMES to post a reply here to your message but was rebuffed
each time.

Seems messages are being filtered in this group, as my other replies to
other threads worked properly.

I didn't have the kindest words for MS, it would appear.

It's their newsgroup - they can filter whatever they please, I guess.

Greets from Atlanta, GA. 

--
Mark Strelecki,  ACP          BE6.2600.011208c
Computing and Programming Since 1975  http://www.strelecki.com
Protect Your Rights -- Fight UCITA   http://www.4cite.org
"David Dickinson [MVP]" <eis.no-spam@softhome.net> wrote in message
news:#9XKGm9$BHA.1848@tkmsftngp05...
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:OVsxtc6$BHA.2276@tkmsftngp02...
> <snip>
>
> Dear Mr. Jacobs,
>
> After wading through your uncalled-for insults, useless hyperbole,
baseless
> accusations, and unproductive emotionalism, your concern appears to boil
> down to problems with the identification of specific vulnerabilities.  I
> agree that distinctive identifications would be beneficial to the
discussion
> at hand.  Some of the confusing dispute surrounding MS02-023 seems to be
> caused by the lack of such adequate identifications on both sides -- but
for
> which the primary blame must be placed on the proponents of the issue: the
> accusers.  The remainder of the dispute seems to lie in who reported what
to
> whom and when.
>
> Positivists always must bear the burden of proof.  Reviewing the evidence,
> such proof may be difficult to provide.
>
> Thor Larholm discovered the vulnerability addressed in MS02-023 on March
18,
> 2002, and notified Microsoft about it at that time.  The vulnerability he
> described at
>
> http://jscript.dk/adv/TL002/
>
> was with input validation in a resource that is included in Internet
> Explorer 6 and not in earlier versions.  Specifically, Mr. Larholm showed
a
> vulnerability while using the dialogArguments property.  As GreyMagic
> states, "[Mr Larholm's] demonstration is confined to IE6 because the
> resource he found to be exploitable first appeared in IE6" (ref:
> http://sec.greymagic.com/adv/gm001-ax/).  The resource that Mr. Larholm
> discussed is res://shdoclc.dll/analyze.dlg.  Mr. Larholm made no claims
> about earlier versions of Internet Explorer.
>
> Microsoft submitted a candidate identification for this vulnerability to
> CVE, namely CAN-2002-0189:
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=%20CAN-2002-0189
>
> Unfortunately, the vulnerability so identified turns out to be poorly
> defined.
>
> I attempted to run the proof-of-concept demonstrations offered by
GreyMagic
> at
>
>     http://sec.greymagic.com/adv/gm001-ax/
>
> Internet Explorer 6.0 (patched) reports:
>
>     An error has occured in this dialog:
>     Error: 23
>     'window.dialogArguments.document' is null or not an object
>
> I obtained similar results after attempting to run the proof-of-concept
> demonstrations from Mr. Larholm at
>
>     http://jscript.dk/adv/TL002/
>
> (I did not perform the test against MSN Messenger because we don't have it
> on any of our computers.)
>
> However, the demonstrations succeed when run on unpatched IE 6.0.  I
looked
> at the code offered by those two sources and they appear to be sufficient
> tests.
>
> My test results allow only one conclusion: the Cross-Site Scripting in
Local
> HTML Resource (CAN-2002-0189) vulnerability discussed in MS02-023 has,
> indeed, been fixed.
>
> However, GreyMagic claims to have found a similar vulnerability in a
> resource that shipped with earlier versions of Internet Explorer,
> specifically in res://shdoclc.dll/analyze.dlg.  GreyMagic admits to
> discussing a different exploitable resource than that discovered by Mr.
> Larholm.  It is unclear whether or not GreyMagic or Mr. Larholm reported
> these newer findings to Microsoft.  Microsoft says that they did not.
> GreyMagic only implies in a message
>
>     From: GreyMagic Software [SMTP:security@GREYMAGIC.COM]
>     Sent: Thursday, May 16, 2002 6:43 AM
>     To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
>     Subject: MS02-023 does not patch actual issue, users are still
> vulnerable!
>
> that they did, but they don't come right out and say it either in that
> message or on their web site.  It should be noted that in all of
GreyMagic's
> other advisories and not in this one, they say that "Microsoft has been
> informed".  In addition, GreyMagic claims that this is the same
> vulnerability as that found by Mr. Larholm, but Mr. Larholm never
discussed
> it.
>
> While GreyMagic's tests do not succeed on Internet Explorer 6, I am unable
> to test their claim on earlier versions because we don't have them on any
of
> our computers.
>
> I will be grateful to learn the results of such tests from people who have
> access to both patched and unpatched versions of Internet Explorer 5.01
SP2
> (WIndows NT 4.0 SP6a or Windows 2000 SP1 or SP2) and Internet Explorer 5.5
> SP1 or SP2.  Please note that if you are running an up-to-date version of
> McAfee VirusScan, you will have to disable it.  VirusScan traps all of
these
> exploits.
>
> --
> David Dickinson, MVP (Security)
> EveningStar Information Services
> Las Cruces, NM USA
>
> Summary of Microsoft Security Bulletins
> http://www.zianet.com/bwd/securitybulletins.asp
>
>
>
Quantcast