Re: File Transfer Manager (FTM) vulnerablity???

From: Jim Corio (jimmy@yuppieghetto.com)
Date: 08/29/02


From: jimmy@yuppieghetto.com (Jim Corio)
Date: 29 Aug 2002 07:56:59 -0700


Seeing as you can vouch for the validity, can you provide any
information to the vulnerability? May we already have mitigating
processes in place to prevent exploitation? I don't feel comfortable
putting a patch on just because a vendor says to... I need to
understand where the vulnerability is and to what extent it can be
exploited.

Is there someplace that has this type of information.

Jim

"Rich Benack [MS]" <richbe@online.microsoft.com> wrote in message news:<O9hd3KjSCHA.2392@tkmsftngp13>...
> Please be advised that this mailing is indeed a valid Microsoft Security
> Response Center mailing concerning a security vulnerability in a Microsoft
> product. Due to the targeted ability of Microsoft to reach all of the
> subscribers to this service, because registration for File Transfer Manager
> is required, the Microsoft Security Response Center did not issue a Security
> Bulletin for this alert. You can always however verify the integrity of
> mailings from the Microsoft Security Response Center by verifying the PGP
> Key with which the mailing is signed.
>
> Rich
>
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "Michael Weiss" <FooWeissBarMike@hotmail.com> wrote in message
> news:#QEbZ8ESCHA.1672@tkmsftngp12...
> > I received this email below, is this legit?
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > Dear Microsoft Customer -
> >
> > The Microsoft Security Response Center has learned of a security
> >
> > vulnerability affecting a software component used only by members of
> >
> > certain Microsoft customer programs. You've received this mail
> >
> > because you have registered as a member of one of the programs and
> >
> > may have come in contact with the component that contains the
> >
> > vulnerability. Microsoft believes that only a small number of
> >
> > customers actually are at risk, but we do urge you to use the
> >
> > following information to ensure that your system is secure.
> >
> >
> > The vulnerability could enable an attacker to gain control over
> >
> > another user's system. It lies in a software component called the
> >
> > File Transfer Manager (FTM), the purpose of which is to allow members
> >
> > of Microsoft beta programs, MSDN, Microsoft Volume Licensing
> >
> > Services, and a small number of other Microsoft programs to download
> >
> > software from certain Microsoft sites. The FTM is only distributed
> >
> > through these programs, but not every member has installed it. Even
> >
> > among customers who have installed it, not all are at risk, as only
> >
> > certain versions contain the vulnerability.
> >
> > Microsoft recommends that all customers receiving this mail determine
> >
> > whether the FTM is installed on their systems and, if so, ensure that
> >
> > they have either upgraded to the latest version (FTM 4.0) or removed
> >
> > the vulnerable version. A web page
> >
> > (http://transfers.one.microsoft.com/ftm/install) is available that
> >
> > provides step-by-step instructions for doing this. The entire
> >
> > process takes only minutes.
> >
> >
> > We'd like to thank Andrew Tereschenko for identifying the security
> >
> > vulnerability and working with us as we developed a solution. We at
> >
> > Microsoft sincerely apologize for any inconvenience, and look forward
> >
> > to continuing to work with you as a member of a Microsoft customer
> >
> > program.
> >
> >
> >
> > Regards,
> >
> > The Microsoft Security Response Center
> >
> > -----BEGIN PGP SIGNATURE-----
> >
> > Version: PGP 7.1
> >
> > iQEVAwUBPWF5wI0ZSRQxA/UrAQFNeAf/e1gKOSR1pNrUhXstxCPsEYKNWAv0hkrz
> >
> > LuqpFJhQkNTHVXdQVm0ecl3JbdUvLQxfhlLhESJOIH/CicXh72Q9fPyYPHUaYuFR
> >
> > DL5KLF4f4iPCU1wiILnIP6R3G26latuowkmeLf0XYnSRWdYvNaQGHM/qgEesSw/C
> >
> > rrIpzn0faL9e7AXzHxxsZl+0p84YB3fu6UhUEYNGTudfydvlEolcJ85QOK9419VU
> >
> > 5fw5yLh5/dvKUbhsxl69mvcX7vKupkinZI/LfRfk3xFyS7YaoKs7eUX2D5q4nsT4
> >
> > FsHURmsG8xNiALV/3Hvt1N7uqotzsUKj03v6dj/Q1pB/eNDRInYjPA==
> >
> > =mhXa
> >
> > -----END PGP SIGNATURE-----
> >
> >
> >
> >
> >
> > *******************************************************************
> >
> > You have received this e-mail bulletin because you are a member of one or
> > more Microsoft customer programs that distribute the File Transfer
> Manager.
> > You have not been subscribed to any newsletters; this is a one-time
> mailing.
> >
> >
> > To verify the digital signature on this bulletin, please download our PGP
> > key at http://www.microsoft.com/technet/security/notify.asp.
> >
> >
> > For security-related information about Microsoft products, please visit
> the
> > Microsoft Security web site at http://www.microsoft.com/security.
> >
> >
> >