Re: File Transfer Manager (FTM) vulnerablity???

From: Rich Benack [MS] (richbe@online.microsoft.com)
Date: 08/23/02


From: "Rich Benack [MS]" <richbe@online.microsoft.com>
Date: Thu, 22 Aug 2002 16:22:57 -0700


Please be advised that this mailing is indeed a valid Microsoft Security
Response Center mailing concerning a security vulnerability in a Microsoft
product. Due to the targeted ability of Microsoft to reach all of the
subscribers to this service, because registration for File Transfer Manager
is required, the Microsoft Security Response Center did not issue a Security
Bulletin for this alert. You can always however verify the integrity of
mailings from the Microsoft Security Response Center by verifying the PGP
Key with which the mailing is signed.

Rich

This posting is provided "AS IS" with no warranties, and confers no rights

"Michael Weiss" <FooWeissBarMike@hotmail.com> wrote in message
news:#QEbZ8ESCHA.1672@tkmsftngp12...
> I received this email below, is this legit?
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Dear Microsoft Customer -
>
> The Microsoft Security Response Center has learned of a security
>
> vulnerability affecting a software component used only by members of
>
> certain Microsoft customer programs. You've received this mail
>
> because you have registered as a member of one of the programs and
>
> may have come in contact with the component that contains the
>
> vulnerability. Microsoft believes that only a small number of
>
> customers actually are at risk, but we do urge you to use the
>
> following information to ensure that your system is secure.
>
>
> The vulnerability could enable an attacker to gain control over
>
> another user's system. It lies in a software component called the
>
> File Transfer Manager (FTM), the purpose of which is to allow members
>
> of Microsoft beta programs, MSDN, Microsoft Volume Licensing
>
> Services, and a small number of other Microsoft programs to download
>
> software from certain Microsoft sites. The FTM is only distributed
>
> through these programs, but not every member has installed it. Even
>
> among customers who have installed it, not all are at risk, as only
>
> certain versions contain the vulnerability.
>
> Microsoft recommends that all customers receiving this mail determine
>
> whether the FTM is installed on their systems and, if so, ensure that
>
> they have either upgraded to the latest version (FTM 4.0) or removed
>
> the vulnerable version. A web page
>
> (http://transfers.one.microsoft.com/ftm/install) is available that
>
> provides step-by-step instructions for doing this. The entire
>
> process takes only minutes.
>
>
> We'd like to thank Andrew Tereschenko for identifying the security
>
> vulnerability and working with us as we developed a solution. We at
>
> Microsoft sincerely apologize for any inconvenience, and look forward
>
> to continuing to work with you as a member of a Microsoft customer
>
> program.
>
>
>
> Regards,
>
> The Microsoft Security Response Center
>
> -----BEGIN PGP SIGNATURE-----
>
> Version: PGP 7.1
>
> iQEVAwUBPWF5wI0ZSRQxA/UrAQFNeAf/e1gKOSR1pNrUhXstxCPsEYKNWAv0hkrz
>
> LuqpFJhQkNTHVXdQVm0ecl3JbdUvLQxfhlLhESJOIH/CicXh72Q9fPyYPHUaYuFR
>
> DL5KLF4f4iPCU1wiILnIP6R3G26latuowkmeLf0XYnSRWdYvNaQGHM/qgEesSw/C
>
> rrIpzn0faL9e7AXzHxxsZl+0p84YB3fu6UhUEYNGTudfydvlEolcJ85QOK9419VU
>
> 5fw5yLh5/dvKUbhsxl69mvcX7vKupkinZI/LfRfk3xFyS7YaoKs7eUX2D5q4nsT4
>
> FsHURmsG8xNiALV/3Hvt1N7uqotzsUKj03v6dj/Q1pB/eNDRInYjPA==
>
> =mhXa
>
> -----END PGP SIGNATURE-----
>
>
>
>
>
> *******************************************************************
>
> You have received this e-mail bulletin because you are a member of one or
> more Microsoft customer programs that distribute the File Transfer
Manager.
> You have not been subscribed to any newsletters; this is a one-time
mailing.
>
>
> To verify the digital signature on this bulletin, please download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
>
>
> For security-related information about Microsoft products, please visit
the
> Microsoft Security web site at http://www.microsoft.com/security.
>
>
>



Relevant Pages

  • Re: File Transfer Manager (FTM) vulnerablity???
    ... understand where the vulnerability is and to what extent it can be ... > Response Center mailing concerning a security vulnerability in a Microsoft ... the Microsoft Security Response Center did not issue a Security ... >> certain Microsoft customer programs. ...
    (microsoft.public.security)
  • Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability
    ... Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability ... to remote xss attacks. ... The security risk of the client side cross site scripting vulnerability in the microsoft security web application is estimated as low|medium. ...
    (Bugtraq)
  • [Full-disclosure] Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability
    ... Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability ... to remote xss attacks. ... The security risk of the client side cross site scripting vulnerability in the microsoft security web application is estimated as low|medium. ...
    (Full-Disclosure)
  • URGENT MICROSOFT SECURITY ANNOUNCEMENT
    ... Subject: URGENT MICROSOFT SECURITY ANNOUNCEMENT ... The Code Red Worm and mutations of the worm pose a ... Every organization or person who has Windows NT or Windows 2000 ... For more information on the Microsoft Security Notification Service ...
    (Bugtraq)
  • Re: Install this correction pack which came from the Microsoft Corporation
    ... and it will not identify the infection. ... It appears in ALL the fake HTML ... NEVER appears in any real Microsoft Security Bulletin. ...
    (microsoft.public.security.virus)