Claims Regarding the MS02-023 Security Bulletin
![Jerry Bryant [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Jerry Bryant [MS]
let us know if you have any questions:
As you probably know, on 15 May Microsoft released Security Bulletin
MS02-023 (http://www.microsoft.com/technet/security/bulletin/MS02-023.asp),
discussing the availability of a patch that eliminates several security
vulnerabilities affecting Internet Explorer. Since that time, several
claims have been posted to security mailing lists about the patch and the
bulletin, and we'd like to address those claims.
On 16 May, three claims were made regarding the first vulnerability
discussed in the bulletin, which involves a cross-site scripting
vulnerability in a local HTML resource that ships as part of IE.
. Claim 1: The bulletin describes the vulnerability incorrectly. In
reality, the bulletin's description is accurate, and this appears to be a
disagreement about how best to describe a security vulnerability. The
bulletin describes it in terms of the potential effect on a user, where the
author of the posting advocates discussing the underlying software flaw.
. Claim 2: The bulletin incorrectly says that it would be necessary for an
attacker to click a link in order to exploit the vulnerability. This author
of the posting is correct - once a user arrived at an attacker's web site,
it would be possible for the site to automatically exploit the
vulnerability. We have updated the bulletin accordingly.
. Claim 3: The patch didn't actually eliminate the vulnerability. This is
incorrect. The patch does eliminate the vulnerability discussed in the
bulletin. The author of the posting is actually describing an entirely new
variant of the vulnerability, which had never previously been reported to
Microsoft. We are investigating the newly reported issue.
On 17 May, an additional claim was aired regarding the second vulnerability
discussed in the bulletin, which involves an information disclosure
vulnerability affecting cascading style sheets. The author of this posting
claims that the patch doesn't actually eliminate this vulnerability.
However, as in the case discussed above, this appears to be a new variant
that had never previously been reported to Microsoft, and we are
investigating it.
While it's too soon to say what the two investigations will reveal, we do
want to assure customers that we will take the appropriate steps to help
them keep their systems secure. In the meantime, we strongly encourage
customers to apply the patch.
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
Lanwench
"ss" <lei...@public.qd.sd.cn> wrote in message
news:4d7901c1fe06$0e549e50$3aef2ecf@TKMSFTNGXA09...
>
> >-----Original Message-----
> >Posting on behalf of the MSRC (Microsoft Security
> Response Center). Please
> >let us know if you have any questions:
> >
> >As you probably know, on 15 May Microsoft released
> Security Bulletin
> >MS02-023
> (http://www.microsoft.com/technet/security/bulletin/MS02-
> 023.asp),
> >discussing the availability of a patch that eliminates
> several security
> >vulnerabilities affecting Internet Explorer. Since that
> time, several
> >claims have been posted to security mailing lists about
> the patch and the
> >bulletin, and we'd like to address those claims.
> >
> >On 16 May, three claims were made regarding the first
> vulnerability
> >discussed in the bulletin, which involves a cross-site
> scripting
> >vulnerability in a local HTML resource that ships as part
> of IE.
> >.. Claim 1: The bulletin describes the vulnerability
> incorrectly. In
> >reality, the bulletin's description is accurate, and this
> appears to be a
> >disagreement about how best to describe a security
> vulnerability. The
> >bulletin describes it in terms of the potential effect on
> a user, where the
> >author of the posting advocates discussing the underlying
> software flaw.
> >.. Claim 2: The bulletin incorrectly says that it would
> be necessary for an
> >attacker to click a link in order to exploit the
> vulnerability. This author
> >of the posting is correct - once a user arrived at an
> attacker's web site,
> >it would be possible for the site to automatically
> exploit the
> >vulnerability. We have updated the bulletin accordingly.
> >.. Claim 3: The patch didn't actually eliminate the
> >.
> >
Richard M. Rucker
http://forums.speedguide.net/showthread.php?
s=&postid=685056#post685056
http://www.wopr.com/cgi-bin/w3t/showflat.pl?
Cat=&Board=ie&Number=141380&page=0&view=expanded&sb=5&o=0#P
ost141380
Feel free to respond anywhere.
_________________________________________________
At least one of [url=http://jscript.dk/unpatched/MS02-
023update.html]Thor's points[/url] (May 16, 2002) has
already forced MS to change the bulletin[/b].
The original version of MS02-023 said the following
regarding the "Cross-Site Scripting Vulnerability in Local
HTML Resource":
"A successful attack requires that a user first click on
a hyperlink. There is no way to automate an attack using
this vulnerability. "
[Thor's response:] "The above is blatantly untrue, and
was repeatedly demonstrated to MS both in the initial
notification phase and when we worked together to
reproduce the issue. Nothing in the world stops this
vulnerability from being automatically exploited."
_________________________
The original version of MS02-023 said the following
regarding the "Script within Cookies Reading Cookies"
vulnerability:
"An attacker would have to entice a user to first click on
a hyperlink to initiate an attempt to exploit this
vulnerability. There is no way to automate an attack that
exploits this vulnerability."
[Thor's response:] "Of course, this is also untrue since
Internet Explorer comes equipped with a nice click method
on links that a programmer can execute, duplicating an
actual click ([url]
http://msdn.microsoft.com/workshop/author/dhtml/reference/m
ethods/click.asp[/url] ). As such, nothing stops anyone
from exploiting this vulnerability automatically."
____________________
Microsoft seemingly responded -- [u]by completely removing
those paragraphs[/u]:
Revisions:
V1.0 (May 15, 2002): Bulletin Created.
V1.1 (May 16, 2002): Bulletin updated to correct erroneous
information regarding attack vectors for the Cross-Site
Scripting in Local HTML Resource and Script within Cookies
Reading Cookies vulnerabilities and the capabilities of
locally run scripts.
______________________
If nothing else, this gives Thor a hell of a lot of
credibility!
Microsoft has actually responded to Thor's (and other's)
complaints
[url=http://communities.microsoft.com/newsgroups/previewFra
me.asp?
ICP=security&sLCID=us&sgroupURL=microsoft.public.security&s
MessageID=%253CukVOh9d%2524BHA.1696@tkmsftngp05%253E]here
[/url]:
_________________
"The bulletin incorrectly says that it would be necessary
for an attacker to click a link in order to exploit the
vulnerability. This author of the posting is correct -
once a user arrived at an attacker's web site, it would be
possible for the site to automatically exploit the
vulnerability. We have updated the bulletin accordingly."
"The patch does eliminate the vulnerability discussed in
the bulletin. The author of the posting is actually
describing an entirely new variant of the vulnerability,
which had never previously been reported to Microsoft. We
are investigating the newly reported issue."
_________________________
Anyone believe that last paragraph? Let's see,
[url=http://jscript.dk/adv/TL002/]Thor's site[/url] says:
Vendor status:
[b]Microsoft was notified 18 March 2002[/b] and were able
to reproduce the issue consistently.
They are currently (16 April 2002) investigating whether
to address this in an upcoming cumulative patch.
__________________________
So, someone here is a out and out [b]liar[/b]. So far,
Thor is looking pretty damn credible...
Amazingly, Microsoft decides to put the foot in deeper:
__________________________
"On 17 May, an additional claim was aired regarding the
second vulnerability discussed in the bulletin, which
involves an information disclosure vulnerability affecting
cascading style sheets. The author of this posting claims
that the patch doesn't actually eliminate this
vulnerability. However, as in the case discussed above,
this appears to be a new variant that had never previously
been reported to Microsoft, and we are investigating it."
__________________________
Again Microsoft's response is "we never heard of this
vulnerability". However,
[url=http://sec.greymagic.com/adv/gm004-ie/]GreyMagic
[/url] reports:
Solution:
Microsoft was first informed on [b]18 Feb 2002[/b] (44
days ago), they have opened an investigation regarding
this issue and will probably release a patch in the near
future.
__________________________
Again, someone is LYING. Both of these vulnerabilities
were reported to BugTraq upon being discovered. So there
is really NO excuse for Microsoft to be claiming they
never heard of these.
Their response is quite disheartening.
>-----Original Message-----
>Posting on behalf of the MSRC (Microsoft Security
Response Center). Please
>let us know if you have any questions:
>
>As you probably know, on 15 May Microsoft released
Security Bulletin
>MS02-023
(http://www.microsoft.com/technet/security/bulletin/MS02-
023.asp),
>discussing the availability of a patch that eliminates
several security
>vulnerabilities affecting Internet Explorer. Since that
time, several
>claims have been posted to security mailing lists about
the patch and the
>bulletin, and we'd like to address those claims.
>
>On 16 May, three claims were made regarding the first
vulnerability
>discussed in the bulletin, which involves a cross-site
scripting
>vulnerability in a local HTML resource that ships as part
of IE.
>.. Claim 1: The bulletin describes the vulnerability
incorrectly. In
>reality, the bulletin's description is accurate, and this
appears to be a
>disagreement about how best to describe a security
vulnerability. The
>bulletin describes it in terms of the potential effect on
a user, where the
>author of the posting advocates discussing the underlying
software flaw.
>.. Claim 2: The bulletin incorrectly says that it would
be necessary for an
>attacker to click a link in order to exploit the
vulnerability. This author
>of the posting is correct - once a user arrived at an
attacker's web site,
>it would be possible for the site to automatically
exploit the
>vulnerability. We have updated the bulletin accordingly.
>.. Claim 3: The patch didn't actually eliminate the
>.
>
Ben West
executable to it, we're not falling for that one.
In Response Jerry Bryant's post, Thank you very much for making such a swift
reply to the newsgroup on this issue, i know of many other time where people
have simply not bothered, well done Jerry.
"ss" <lei...@public.qd.sd.cn> wrote in message
news:4d7901c1fe06$0e549e50$3aef2ecf@TKMSFTNGXA09...
>
> >-----Original Message-----
> Response Center). Please
> >let us know if you have any questions:
> >
> >As you probably know, on 15 May Microsoft released
> Security Bulletin
> >MS02-023
> (http://www.microsoft.com/technet/security/bulletin/MS02-
> 023.asp),
> >discussing the availability of a patch that eliminates
> several security
> >vulnerabilities affecting Internet Explorer. Since that
> time, several
> >claims have been posted to security mailing lists about
> the patch and the
> >bulletin, and we'd like to address those claims.
> >
> >On 16 May, three claims were made regarding the first
> vulnerability
> >discussed in the bulletin, which involves a cross-site
> scripting
> >vulnerability in a local HTML resource that ships as part
> of IE.
> incorrectly. In
> >reality, the bulletin's description is accurate, and this
> appears to be a
> >disagreement about how best to describe a security
> vulnerability. The
> >bulletin describes it in terms of the potential effect on
> a user, where the
> >author of the posting advocates discussing the underlying
> software flaw.
> be necessary for an
> >attacker to click a link in order to exploit the
> vulnerability. This author
> >of the posting is correct - once a user arrived at an
> attacker's web site,
> >it would be possible for the site to automatically
> exploit the
> >vulnerability. We have updated the bulletin accordingly.
> >
David Dickinson [MVP]
> Again, someone is LYING. Both of these vulnerabilities
> were reported to BugTraq upon being discovered. So there
> is really NO excuse for Microsoft to be claiming they
> never heard of these.
>
> Their response is quite disheartening.
Except that you are forgetting the third vulnerability which is the one your
criticism is about (I hope that you understand that). Without identifiers
for the vulnerabilities under discussion, your comments become too vague.
Microsoft also should be more specific when discussing these issues. Since
MS02-023 addresses several vulnerabilities, each of which have their own
identifiers, and since the criticisms address still other vulnerabilities
(which I am not sure have their own identifiers yet but certainly have
citations) part of the confusion is that folks are talking about apples and
oranges.
--
David Dickinson, MVP (Security)
EveningStar Information Services
Las Cruces, NM USA
Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp
gildasio
>-----Original Message-----
>Posting on behalf of the MSRC (Microsoft Security
Response Center). Please
>let us know if you have any questions:
>
>As you probably know, on 15 May Microsoft released
Security Bulletin
>MS02-023
(http://www.microsoft.com/technet/security/bulletin/MS02-
023.asp),
>discussing the availability of a patch that eliminates
several security
>vulnerabilities affecting Internet Explorer. Since that
time, several
>claims have been posted to security mailing lists about
the patch and the
>bulletin, and we'd like to address those claims.
>
>On 16 May, three claims were made regarding the first
vulnerability
>discussed in the bulletin, which involves a cross-site
scripting
>vulnerability in a local HTML resource that ships as part
of IE.
>reality, the bulletin's description is accurate, and this
appears to be a
>disagreement about how best to describe a security
vulnerability. The
>bulletin describes it in terms of the potential effect on
a user, where the
>author of the posting advocates discussing the underlying
software flaw.
>attacker to click a link in order to exploit the
vulnerability. This author
>of the posting is correct - once a user arrived at an
attacker's web site,
>it would be possible for the site to automatically
exploit the
>vulnerability. We have updated the bulletin accordingly.
>
Shannon Jacobs
> Posting on behalf of the MSRC (Microsoft Security Response Center).
> Please let us know if you have any questions:
> Claim 3: The patch didn't actually eliminate the vulnerability. This is
> incorrect. The patch does eliminate the vulnerability discussed in
> the bulletin. The author of the posting is actually describing an
> entirely new variant of the vulnerability, which had never previously
> been reported to Microsoft. We are investigating the newly reported
> issue.
Wow, and I thought this was supposed to be a technical forum for discussing
technical problems in technical terms. Or are you really just a slimy lawyer
in technical sheep's clothing? I've selected this particular item because it
is the worst example in that particular post, but the entire thing was just
exceedingly mealy-mouthed.
Could you please explain what sort of TECHNICAL distinction you are trying
to make between a "vulnerability" and a "variant of the vulnerability".
Apparently, what you are actually doing is trying to disguise is the fact
that Microsoft didn't understand the full scope of the underlying
vulnerability and thereby released a patch that only managed to cover one
conveniently known method of exploiting it. You are trying to do this by
twisting the word "vulnerability" to mean something like "a bug in our
software which can be exploited by a specific technique" whereas in the
second usage (in the SAME sentence) you are coming much closer to the normal
definition of "a bug in our software which allows violations of the system's
security".
Oh yeah I forgot. There are NO bugs in Microsoft code. Only "known issues"
and "unknown issues". Paid for in advance, and on an "AS IS" basis. Well, at
least you're being accurate about the customers' rights.
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
Starting right from the first word of your subject, "claims", the overall
tone of your post is to criticize and belittle sincere people who are
concerned with such technical trivialities as REAL computer security and the
REAL and TECHNICAL causes of "vulnerabilities". Unfortunately for
Microsoft's credibility, I'd wager that most of the readers of this
newsgroup are in that boat, and most people do not appreciate being
criticized and belittled.
Then again, why should Microsoft care as long as we keep sending the money?
Shannon Jacobs
> Posting on behalf of the MSRC (Microsoft Security Response Center).
> Please let us know if you have any questions:
> Claim 3: The patch didn't actually eliminate the vulnerability. This is
> incorrect. The patch does eliminate the vulnerability discussed in
> the bulletin. The author of the posting is actually describing an
> entirely new variant of the vulnerability, which had never previously
> been reported to Microsoft. We are investigating the newly reported
> issue.
Wow, and I thought this was supposed to be a technical forum for discussing
technical problems in technical terms. Or are you really just a slimy lawyer
in technical sheep's clothing? I've selected this particular item because it
is the worst example in that particular post, but the entire thing was just
exceedingly mealy-mouthed.
Could you please explain what sort of TECHNICAL distinction you are trying
to make between a "vulnerability" and a "variant of the vulnerability".
Apparently, what you are actually doing is trying to disguise the fact
that Microsoft didn't understand the full scope of the underlying
vulnerability and thereby released a patch that only managed to cover one
conveniently known method of exploiting it. You are trying to do this by
twisting the word "vulnerability" to mean something like "a bug in our
software which can be exploited by a specific technique" whereas in the
second usage (in the SAME sentence) you are coming much closer to the normal
definition of "a bug in our software which allows violations of the system's
security".
Oh yeah I forgot. There are NO bugs in Microsoft code. Only "known issues"
and "unknown issues". Paid for in advance, and on an "AS IS" basis. Well, at
least you're being accurate about the customers' rights.
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
Starting right from the first word of your subject, "claims", the overall
David Dickinson [MVP]
"David Dickinson [MVP]" <eis.n...@softhome.net> wrote in message
news:#9XKGm9$BHA.1848@tkmsftngp05...
Correction: In my original post I said
"The resource that Mr. Larholm discussed is res://shdoclc.dll/analyze.dlg."
This is incorrect (and, if it was true, would make the rest of the post
useless). The resource that Mr. Larholm discussed is
res://shdoclc.dll/policyerror.htm.
I'm sorry for having introduced still more confusion into this discussion.
jamal
>-----Original Message-----
>Posting on behalf of the MSRC (Microsoft Security
Response Center). Please
>let us know if you have any questions:
>
>As you probably know, on 15 May Microsoft released
Security Bulletin
>MS02-023
(http://www.microsoft.com/technet/security/bulletin/MS02-
023.asp),
>discussing the availability of a patch that eliminates
several security
>vulnerabilities affecting Internet Explorer. Since that
time, several
>claims have been posted to security mailing lists about
the patch and the
>bulletin, and we'd like to address those claims.
>
>On 16 May, three claims were made regarding the first
vulnerability
>discussed in the bulletin, which involves a cross-site
scripting
>vulnerability in a local HTML resource that ships as part
of IE.
>reality, the bulletin's description is accurate, and this
appears to be a
>disagreement about how best to describe a security
vulnerability. The
>bulletin describes it in terms of the potential effect on
a user, where the
>author of the posting advocates discussing the underlying
software flaw.
>attacker to click a link in order to exploit the
vulnerability. This author
>of the posting is correct - once a user arrived at an
attacker's web site,
>it would be possible for the site to automatically
exploit the
>vulnerability. We have updated the bulletin accordingly.
>thanks for every thing
A.
fix be coming?
>-----Original Message-----
>Posting on behalf of the MSRC (Microsoft Security Response
Center). Please
>let us know if you have any questions:
>
>As you probably know, on 15 May Microsoft released
Security Bulletin
>MS02-023
(http://www.microsoft.com/technet/security/bulletin/MS02-0
2
3.asp),
>discussing the availability of a patch that eliminates
several security
>vulnerabilities affecting Internet Explorer. Since that
time, several
>claims have been posted to security mailing lists about
the patch and the
>bulletin, and we'd like to address those claims.
>
>On 16 May, three claims were made regarding the first
vulnerability
>discussed in the bulletin, which involves a cross-site
scripting
>vulnerability in a local HTML resource that ships as part
of IE.
>reality, the bulletin's description is accurate, and this
appears to be a
>disagreement about how best to describe a security
vulnerability. The
>bulletin describes it in terms of the potential effect on
a user, where the
>author of the posting advocates discussing the underlying
software flaw.
necessary for an
>attacker to click a link in order to exploit the
vulnerability. This author
>of the posting is correct - once a user arrived at an
attacker's web site,
>it would be possible for the site to automatically
exploit
the
>vulnerability. We have updated the bulletin accordingly.
>
Anuj K Bhuyan
>-----Original Message-----
>Posting on behalf of the MSRC (Microsoft Security
Response Center). Please
>let us know if you have any questions:
>
>As you probably know, on 15 May Microsoft released
Security Bulletin
>MS02-023
(http://www.microsoft.com/technet/security/bulletin/MS02-
023.asp),
>discussing the availability of a patch that eliminates
several security
>vulnerabilities affecting Internet Explorer. Since that
time, several
>claims have been posted to security mailing lists about
the patch and the
>bulletin, and we'd like to address those claims.
>
>On 16 May, three claims were made regarding the first
vulnerability
>discussed in the bulletin, which involves a cross-site
scripting
>vulnerability in a local HTML resource that ships as part
of IE.
>reality, the bulletin's description is accurate, and this
appears to be a
>disagreement about how best to describe a security
vulnerability. The
>bulletin describes it in terms of the potential effect on
a user, where the
>author of the posting advocates discussing the underlying
software flaw.
>attacker to click a link in order to exploit the
vulnerability. This author
>of the posting is correct - once a user arrived at an
attacker's web site,
>it would be possible for the site to automatically
exploit the
>vulnerability. We have updated the bulletin accordingly.
>
Mark Strelecki, ACP
Sorry David -
I tried FOUR TIMES to post a reply here to your message but was rebuffed
each time.
Seems messages are being filtered in this group, as my other replies to
other threads worked properly.
I didn't have the kindest words for MS, it would appear.
It's their newsgroup - they can filter whatever they please, I guess.
Greets from Atlanta, GA.
--
Mark Strelecki, ACP BE6.2600.011208c
Computing and Programming Since 1975 http://www.strelecki.com
Protect Your Rights -- Fight UCITA http://www.4cite.org
"David Dickinson [MVP]" <eis.n...@softhome.net> wrote in message
news:#9XKGm9$BHA.1848@tkmsftngp05...
> "Shannon Jacobs" <sha...@my-deja.com> wrote in message
> news:OVsxtc6$BHA.2276@tkmsftngp02...
> <snip>
>
> Dear Mr. Jacobs,
>
> After wading through your uncalled-for insults, useless hyperbole,
baseless
> accusations, and unproductive emotionalism, your concern appears to boil
> down to problems with the identification of specific vulnerabilities. I
> agree that distinctive identifications would be beneficial to the
discussion
> at hand. Some of the confusing dispute surrounding MS02-023 seems to be
> caused by the lack of such adequate identifications on both sides -- but
for
> which the primary blame must be placed on the proponents of the issue: the
> accusers. The remainder of the dispute seems to lie in who reported what
to
> whom and when.
>
> Positivists always must bear the burden of proof. Reviewing the evidence,
> such proof may be difficult to provide.
>
> Thor Larholm discovered the vulnerability addressed in MS02-023 on March
18,
> 2002, and notified Microsoft about it at that time. The vulnerability he
> described at
>
> http://jscript.dk/adv/TL002/
>
> was with input validation in a resource that is included in Internet
> Explorer 6 and not in earlier versions. Specifically, Mr. Larholm showed
a
> vulnerability while using the dialogArguments property. As GreyMagic
> states, "[Mr Larholm's] demonstration is confined to IE6 because the
> resource he found to be exploitable first appeared in IE6" (ref:
> http://sec.greymagic.com/adv/gm001-ax/). The resource that Mr. Larholm
> discussed is res://shdoclc.dll/analyze.dlg. Mr. Larholm made no claims
> about earlier versions of Internet Explorer.
>
> Microsoft submitted a candidate identification for this vulnerability to
> CVE, namely CAN-2002-0189:
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=%20CAN-2002-0189
>
> Unfortunately, the vulnerability so identified turns out to be poorly
> defined.
>
> I attempted to run the proof-of-concept demonstrations offered by
GreyMagic
> at
>
> http://sec.greymagic.com/adv/gm001-ax/
>
> Internet Explorer 6.0 (patched) reports:
>
> An error has occured in this dialog:
> Error: 23
> 'window.dialogArguments.document' is null or not an object
>
> I obtained similar results after attempting to run the proof-of-concept
> demonstrations from Mr. Larholm at
>
> http://jscript.dk/adv/TL002/
>
> (I did not perform the test against MSN Messenger because we don't have it
> on any of our computers.)
>
> However, the demonstrations succeed when run on unpatched IE 6.0. I
looked
> at the code offered by those two sources and they appear to be sufficient
> tests.
>
> My test results allow only one conclusion: the Cross-Site Scripting in
Local
> HTML Resource (CAN-2002-0189) vulnerability discussed in MS02-023 has,
> indeed, been fixed.
>
> However, GreyMagic claims to have found a similar vulnerability in a
> resource that shipped with earlier versions of Internet Explorer,
> specifically in res://shdoclc.dll/analyze.dlg. GreyMagic admits to
> discussing a different exploitable resource than that discovered by Mr.
> Larholm. It is unclear whether or not GreyMagic or Mr. Larholm reported
> these newer findings to Microsoft. Microsoft says that they did not.
> GreyMagic only implies in a message
>
> From: GreyMagic Software [SMTP:secu...@GREYMAGIC.COM]
> Sent: Thursday, May 16, 2002 6:43 AM
> To: NTBU...@LISTSERV.NTBUGTRAQ.COM
> Subject: MS02-023 does not patch actual issue, users are still
> vulnerable!
>
> that they did, but they don't come right out and say it either in that
> message or on their web site. It should be noted that in all of
GreyMagic's
> other advisories and not in this one, they say that "Microsoft has been
> informed". In addition, GreyMagic claims that this is the same
> vulnerability as that found by Mr. Larholm, but Mr. Larholm never
discussed
> it.
>
> While GreyMagic's tests do not succeed on Internet Explorer 6, I am unable
> to test their claim on earlier versions because we don't have them on any
of
> our computers.
>
> I will be grateful to learn the results of such tests from people who have
> access to both patched and unpatched versions of Internet Explorer 5.01
SP2
> (WIndows NT 4.0 SP6a or Windows 2000 SP1 or SP2) and Internet Explorer 5.5
> SP1 or SP2. Please note that if you are running an up-to-date version of
> McAfee VirusScan, you will have to disable it. VirusScan traps all of
these
> exploits.
David Dickinson [MVP]
> Sorry David -
>
> I tried FOUR TIMES to post a reply here to your message but was
> rebuffed each time.
>
> Seems messages are being filtered in this group, as my other replies
> to other threads worked properly.
>
> I didn't have the kindest words for MS, it would appear.
>
> It's their newsgroup - they can filter whatever they please, I guess.
Lemme see what I can find out. I'll be very disappointed if that is true
for messages which don't contain foul language.
David
David Dickinson [MVP]
> The Klez virus is apparently unable to be removed. Will a
> fix be coming?
Try using the W32.Klez and W32.Elkem Removal Tool from Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.too
l.html
David Dickinson [MVP]
installation of Windows 98SE, Internet Explorer 5.5 SP2, and installed all
of the available security patches (critical updates).
I then ran all of the proof-of-concept demonstrations offered by Thor
Larholm and GreyMagic from their web sites at
http://jscript.dk/adv/TL002/
http://sec.greymagic.com/adv/gm001-ax/
Only one test succeeded, and that was GreyMagic's exploit of the
vulnerability in res://shdoclc.dll/analyze.dlg (the "Display location"
test). This was expected since the other exploit attacked the lack of input
validation in the resource
res://shdoclc.dll/policyerror.htm
which contains the same vulnerability as
res://shdoclc.dll/policylooking.htm
res://shdoclc.dll/policynone.htm
res://shdoclc.dll/policysyntaxerror.htm
which are all included only in Internet Explorer 6.0 and which were fixed.
The vulnerability in res://shdoclc.dll/analyze.dlg was not addressed in
MS02-023.
Ideally, GreyMagic would have notified Microsoft of the vulnerability they
found and it could have been fixed in MS02-023.
It should be noted that this new exploit does not work in patched IE6 even
though the "dangerous concatenation" described by GreyMagic in analyze.dlg
has not been changed by the patch. If I can find any spare time, I'll try
to find out why.
Harald Ums
I find more than one exploit still working.
"David Dickinson [MVP]" <eis.n...@softhome.net> wrote in message
news:efPMM4LACHA.1880@tkmsftngp04...
David Dickinson [MVP]
news:OGlpy3PACHA.1848@tkmsftngp05...
> Did you run the tests at http://jscript.dk/unpatched/ ?
> I find more than one exploit still working.
Yes, and /very/ interesting stuff, too. The reintroduction of the IE https
certificate attack is particularly annoying. Fortunately, McAfee VirusScan
(an probably others) traps GreyMagic's published exploits. Otherwise we
would be in real trouble with every script kiddie trying to use them as
hacks.
Jerry Bryant [MS]
groups are not "moderated" and they are public across all of Usenet which
means they are hosted around the world. The bottom line is that we don't
"really" own them. We only own the servers where we host them. We don't own
the thousands of other servers that host them.
If we filtered these groups as you have implied, then fully half of David's
posts would have been removed and he would not be an MVP today :-) Nobody
has been more critical of Microsoft in this group than he has.
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Dickinson [MVP]" <eis.n...@softhome.net> wrote in message
news:O18iIiDACHA.1660@tkmsftngp02...
Mark Strelecki, ACP
Jerry -
There ARE folks here who are FAR more critical of MS than David - myself
being one - and I understand the difference between SPAM, foul language, and
critical commentary on the Microsoft Way of Doing Business.
You ARE filtering these groups, as you say, but it's just done with
"automated filters". Interesting spin, Jerry.
A reply that doesn't get posted here HAS been filtered, or rejected, or
deleted - whether by a "person" or their programming. I trust you don't feel
there's a difference.
My sent items folder has four messages (four copies of the SAME reply to
David) that failed to post to this newsgroup yesterday, and I've only been
doing this for, oh, about twenty-seven years. Meaning it was no failure at
MY end to get these messages across. Other replies of mine to this group
have posted without incident.
I certainly understand - they are YOUR servers, and you make the rules here.
I just wish you were more forthcoming as to the reasons a message would be
filtered, because the criteria you mentioned were NOT breached in anything I
wrote.
I WAS more than critical of the manner MS chooses to design, implement,
test, and market their software, as well the recently announced "Security
Initiative" (or whatever name you gave it).
I suggested that with the massive braintrust you benefit from there in
Redmond, and the massive profits the firm generates each quarter, that you
all could be doing a MUCH BETTER JOB at not only avoiding security issues in
the future, but to fix and repair all those products that have gone before.
Band aids are hardly fixes, Jerry. Especially for the severity of the wounds
seen so far, suffered by paying customers across the globe.
Perhaps corporate has a bit higher sensitivity to harsh criticisms and
caustic commentary? That might be a good thing, in retrospect.
I just wanted the facts of my posting attempts to see the light of day.
Your comments were respectfully welcomed. I really do appreciate your
dialogs here.
Thank you. And good luck to you all.
--
Mark Strelecki, ACP BE6.2600.011208c
Computing and Programming Since 1975 http://www.strelecki.com
Protect Your Rights -- Fight UCITA http://www.4cite.org
"Jerry Bryant [MS]" <jbr...@online.microsoft.com> wrote in message
news:ubqe5qmACHA.1940@tkmsftngp04...
Branimir Petrovic
" Mark Strelecki, ACP" <be6...@nospam.strelecki.com> wrote in message news:eLcCN6nACHA.2200@tkmsftngp02...
>
> Jerry -
>
> There ARE folks here who are FAR more critical of MS than David - myself
> being one - and I understand the difference between SPAM, foul language, and
> critical commentary on the Microsoft Way of Doing Business.
>
> You ARE filtering these groups, as you say, but it's just done with
> "automated filters". Interesting spin, Jerry.
>
> A reply that doesn't get posted here HAS been filtered, or rejected, or
> deleted - whether by a "person" or their programming. I trust you don't feel
> there's a difference.
>
I would add to Marks remarks my few (2 to be exact) experiences of finding myself
on the "wrong side of the filter" by whatever is limiting what one is allowed to
say or express on MS'es security newsgroup.
Interestingly, although quite regular poster at microsoft.public.scripting.*
newsgroups and although I sometimes do tend use strong and/or foul words when
referring to certain MS scripting solutions or ways MS envisioned and/or documented
certain areas, I was never ever "filtered".
But come to "microsoft.public.security", and better watch out what you say buddy,
foul language or not.
For instance not so long ago I tried to say this:
http://groups.google.com/groups?hl=en&lr=&selm=b11d1191.0205100949.7c393a80%40posting.google.com
and was rejected (is "filtering" politically more acceptable term?). No matter what I
tried - and I did try posting from different computers to different MS news servers,
I could not post this as the next thread to one of David's remarks. Interestingly, that
piece of software (if it is software) is pretty clever piece of work, so mere 24 h later
using another PC from yet another location, and the jab (or the post) finally got there.
But by then, the whole thread grew "cold", and there was not much reaction to my post.
More recently I tried to say this:
http://groups.google.com/groups?dq=&hl=en&lr=&selm=Oj9xvtU%24BHA.2540%40tkmsftngp05
and not only that I could not post it, I was also "kicked out" from _all_ MS newsgroups,
scripting groups included!? Unrelated to the above, I tried to post some answers to
scripting questions only to discover that I can't. Interestingly more than 24h later
(apparently that clever piece of software has a piece of A.I. and can decide when certain
subject grows "cold") "curfew" was silently lifted and I could post to scripting groups
again (tnx U MS?).
What to say to all this? My impression is that some very sly tactics is being used to
silence criticism. Is this criticism justified or not, that should not be up to the
"filtering" software (or man) to decide.
Branimir
Shannon Jacobs
> Jerry -
<snip>
> You ARE filtering these groups, as you say, but it's just done with
> "automated filters". Interesting spin, Jerry.
Spin is obviously the operative word in Microsoft land. Here is another cute
example addressed to me from earlier in the thread.
David Dickinson [MVP] wrote:
> "Shannon Jacobs" <sha...@my-deja.com> wrote in message
> news:OVsxtc6$BHA.2276@tkmsftngp02...
> <snip>
>
> Dear Mr. Jacobs,
>
> After wading through your uncalled-for insults, useless hyperbole,
> baseless accusations, and unproductive emotionalism, your concern
> <snip>
Should remind you of modern politics. No sense arguing with fools and
spinmeisters, and especially not on technical topics. Nor do I believe that
I was the first to introduce the non-technical spin in this thread.
The only reason I sometimes monitor these newsgroups is because they are all
too frequently much more useful than Microsoft's purported support Web
sites. I sometimes pose questions or report problems, but I rarely comment,
though you may note that on this occasion the post which I commented on was
apparently from an official representative of Microsoft. His post mostly
reminded me of the political party line as propagated by talking-point
faxes. Spinmeisters call it "damage control".
As I've commented before, it is not the case that I think that all of the
folks working for Microsoft are evil greedy fools. As with any large
company, there's a bunch of people there and they have various priorities
and various degrees of competence in their respective specialties. Some of
them are sincerely focused on producing the best software they can, others
on testing, some support users, and still others are deeply knowledgeable
about and concerned with security. There are also some folks who focus on
sales, on maintaining the monopoly, and on maximizing profits. The various
groups compete for the resources to achieve their various goals. Looking at
the long-term track record, it is quite clear which groups dominate the
company.
By the way, I'm actually including in my thoughts those indirect (or
"parasitical") employees who sell the various kinds of support services that
Microsoft doesn't want to be bothered with. That's actually a large industry
of it's own.
<snip>
> I suggested that with the massive braintrust you benefit from there in
> Redmond, and the massive profits the firm generates each quarter,
> that you all could be doing a MUCH BETTER JOB at not only avoiding
> security issues in the future, but to fix and repair all those
> products that have gone before.
Yes. One might think so. Actually this is a very fundamental issue of
technical design. It is much better to start with a strong security model
and then decide where and under what carefully considered circumstances the
model must be weakened. And of course that should remind you of Java, which
Microsoft strongly rejects.
David Dickinson [MVP]
> We filter for SPAM and foul language. These are automated filters.
Sounds groovy to me.
<snip>
> If we filtered these groups as you have implied, then fully half of
> David's posts would have been removed and he would not be an MVP
> today :-) Nobody has been more critical of Microsoft in this group
> than he has.
Well, I dunno about that. I do try to maintain some balance. Besides, I
really like Windows and Office and think their development has been a very
beneficial service to the world, even though the whole Passport idea stinks
to high heaven -- then there's licensing that requires a doctorate in
contract law, security holes that seem to take forever to get plugged,
piecemeal but mandatory upgrades even for grandmothers' home PCs, short life
cycles that end just when you're starting to get it right, a user interface
that keeps straying farther from the CUA and changes just when we've finally
figured out the old one, non-negotiable pseudo-standards that keep the
ground shifting directions beneath our feet and prevent interoperability...
Man, I'm gonna cry all the way to the bank.
--
David Dickinson, MVP
David Dickinson [MVP]
> By the way, I'm actually including in my thoughts those indirect (or
> "parasitical") employees who sell the various kinds of support
> services that Microsoft doesn't want to be bothered with. That's
> actually a large industry of it's own.
Yes, it would be nice if I could make all of my money customizing and none
fixing. It would certainly be a perfect world.
In the meantime, we parasites still have to get up at two in the morning
when something breaks (probably because we're closer than anyone from
Microsoft and already know the systems, having configured them in the first
place). For some strange reason, people seem to like fast onsite support
with expertise in their custom applications.
Of course, Microsoft could probably invest in an all-encompassing monopoly,
but then I'd either be an actual Microsoft employee or, preferrably, able to
pursue my real dream of becoming a master pastry chef (except that then I'd
have to get up at three every morning).
But it seems that you can't have your cake and eat it, too.
(That's not /too/ subtle, is it?)
--
David Dickinson, MVP
Jerry Bryant [MS]
If you could send me the post you tried to make I will investigate further.
Just take the online portion out of my address. I've had our opps people
looking into this since you posted. Our filter logs do not show any posts
made by you that were rejected. If I can get the actual post then we can
determine if any of the phrases the filters are looking for are evident.
I can assure you thought that it is against our policy to filter criticism
towards Microsoft.
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
" Mark Strelecki, ACP" <be6...@nospam.strelecki.com> wrote in message
news:eLcCN6nACHA.2200@tkmsftngp02...
>