Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3844
HistoryDec 09, 2002 - 12:00 a.m.

Notes on MS02-068, extensive downplaying of severity

2002-12-0900:00:00
vulners.com
10
JSON

Following the release of the cumulative MS02-066 patch from the previous
week, Microsoft has released yet another cumulative patch for Internet
Explorer - MS02-068, which can be found at
http://www.microsoft.com/technet/security/bulletin/MS02-068.asp

The sole vulnerability that MS02-068 patches is the "external object
caching" vulnerability discovered by GreyMagic Software. The rater
surprising aspects of this bulletin is the extensive downplaying of severity
and the incorrect mitigating factors.

Microsoft has given this vulnerability a maximum severity rating of
"Moderate". Great, so arbitrary command execution, local file reading and
complete system compromise is now only moderately severe, according to
Microsoft.

Moving on to the technical description, we see yet more inaccuracies. The
entire first paragraph is a falsum:

"Exploiting the vulnerability could enable an attacker to read, but not
change, any file on the user's local computer. In addition, the attacker
could invoke an executable that was already present on the local system. The
attacker would need to know the exact location of the executable, and would
not be able to pass parameters to it. Microsoft is not aware of any
executable that ships by default as part of Windows and, when run without
parameters, could be dangerous. "

Allow me to rephrase:
Exploiting the vulnerability could enable an attacker to perform any action
on the local computer that the user being exploited can perform. This
includes, but is not limited to, reading and changing any file on the user's
local computer, forcefully placing arbitrary files on the system in any
location and invoking any executable on the system both with and without
parameters.

Further down we find yet more inaccuracies:
"Without the ability to pass parameters, it's unlikely that an attacker
could do much. For instance, although the attacker could run the command
prompt, he couldn't pass a command (e.g., format c:) to it. "
"This vulnerability provides no way for an attacker to transfer a program of
their choice to the user's system. "

Since we can already create and execute arbitrary command scripts on the
machine, I fail to see how the above can be remotely accurate. Accomplishing
this is as simple as creating and executing an automated FTP script, or
merely recreating an EXE file from an embedded string in the HTML.

Microsoft are very much aware of this, and even modified the MS02-066
bulletin (following the post from GreyMagic on Bugtraq) to provide
assistance in mitigating how the HTML Help control can execute commands in
the local zone.

It seems like Microsoft are deliberately downplaying the severity of their
vulnerabilities in an attempt to gain less bad press. It sure would look bad
to release 2 critical cumulative updates in just 2 weeks, but that is
exactly what has been done. As it stands now, the bulletin is released and
most journalists willing to comment have already noticed the "Moderate"
label and the extensive list of (incorrect) mitigating factors, and quite
likely will not write anything on just how severe this really is. I doubt
most people care to read the revisions to the bulletin that will come later.

There are currently 18 unpatched publicly known vulnerabilities in Internet
Explorer, of which I have labelled 6 as severe.

http://www.pivx.com/larholm/unpatched/

Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Strike Now, StrikeFirst!
http://www.pivx.com/sf.html

JSON