dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1395
sleepydoc
join:2002-02-09
Avon, CT

sleepydoc to Lucif4

Member

to Lucif4

Re: Cumulative Patch for Internet Explorer (Q321232)

Has anyone tried to use this cumulative update with IE5.01 running under WIN95a?

olefin
Really A Texan
join:2001-07-28
Hot Springs National Park, AR

olefin to Lucif4

Member

to Lucif4
Added today after receiving email from MS.

No problems.:D

I always disable AV before installing any program or update.

XP home.
sleepydoc
join:2002-02-09
Avon, CT

sleepydoc to Lucif4

Member

to Lucif4
Really a Texan:
Thanks for the info. The Microsoft documentation seems to imply the the patch only runs under NT and it's reasuring to here from you that it works for IE5.01 under WIN95a.
...

Cagliostro$
join:2002-05-04

Cagliostro$ to Lucif4

Member

to Lucif4
Ever notice that even with downloads disabled in your Internet Security zone that it's still possible to download something from Windows Update?

Microsoft doesn't have to be placed in the Trusted Sites zone either.

MeeToo7
You Too?
Premium Member
join:2000-10-18
Ardmore, PA

MeeToo7

Premium Member

To run Windows Update you had to download a plugin at some point, which scans your computer and detects what updates you need. So that would bypass the security zone restrictions.

cjsmith
Premium Member
join:2000-11-03
Villa Rica, GA

cjsmith to Lucif4

Premium Member

to Lucif4
I find this simply amazing that all "6" of these vulnerabilities affects IE6 the only browser to include all six patches. Egads!

Thank you for the heads up Lucif4.

[text was edited by author 2002-05-16 02:21:37]

MeeToo7
You Too?
Premium Member
join:2000-10-18
Ardmore, PA

MeeToo7 to Try this9

Premium Member

to Try this9
said by Try this:
Does anyone else's IE 6.0 seem to browse faster (snappier page loading) after this update? Or am I just going nutz with wishful thinking?:D
I'm using IE 5.5, and I definitely notice that the drop down menus are snappier.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to cjsmith

MVM

to cjsmith
said by cjsmith:
I find this simply amazing that all "6" of these vulnerabilities affects IE6 the only browser to include all six patches. Egads!
Yes and no. It is their most advanced browser -- so it has the most advanced holes!:)

I just hope the patches have LESS errors than the Security Bulletin:
said by MS02-023:
...the intended file contain a single, parcicular ASCII character.

...for a system to be vulnerable, it must have present an application present that, ...

In addition to eliminating all previously discussed vulnerabilities versions, it also eliminates eliminates six new ones: ...

...could disclose information store on the local system...

Only files that contained a particulr, individual ASCII character...

...it is possible for a web site to use the text alingment and color elements...
Spell Checking brought to you by... Microsoft.
R2

R2 to Lucif4

MVM

to Lucif4

Thumbs down to Microsoft.

Most of the vulnerabilities are seemingly prevented using our previously defined strategies -- and that is RESTRICTING the Internet zone, and placing your Email reader in the Restricted sites zone.

I find these statements rather disconcerting:
said by MS02-023:
A successful attack requires that a user first click on a hyperlink.

...this scenario requires social engineering to make the user choose to visit his site.

However, a successful attack would require luring the user to the attacker's site.
MS keeps implying that as long as you just don't visit any bad web sites and if you just don't click any links, then you will be OK. Isn't that akin to saying just don't surf the Internet?? If you knew exactly which pages were safe and which weren't, or if you NEVER wanted to visit ANY new sites, this approach makes sense. Otherwise, I find their comments more annoying than helpful.

This type of information is equally condescending and unhelpful:
said by MS02-023:
Customers who exercise caution in what web sites they visit or who place unknown or untrusted sites in the Restricted Sites zone can potentially protect themselves from attempts to exploit this issue on the web.
This type of statement is made numerous times. How ludicrous is this? Just place ALL sites that you don't know in your Restricted site zone.

Hmmm... let's see. How do I do that? Do I enter *\\*.*.* on to my Restricted Sites list? Otherwise, if a site is "unknown" to you, how do you get it in the Restricted sites zone in the first place? Very interesting concept.

Doesn't this REALLY mean to say: "RESTRICT YOUR INTERNET ZONE"!!!! Then, place any site you trust into your Trusted sites. Why don't they come out and say this??

And what the crap is the "particular, individual ASCII character"?? They can't even spell particular correctly half the time, but they never once come out and say what that character is! Weird. I am going to take a wild guess that it is not one of the numerical or alphabetical characters.

Equally mysterious is the HTML object that can disclose local information. Does the object have a name, or can it only be referred to as "the object in question"? It is interesting the "the object in question" must call on a file with "the particular character in question". Can we be a little more vague?

Again we find out the Cookies are not as 'inaccessible' by other web sites as Microsoft always swore they were. The party line was always that "only the site that placed the cookie has access to it". This is the SECOND vulnerability that proves that was bogus! And ONLY after the second vulnerability are cookies moved into the Restricted sites zone. I guess one vulnerability isn't enough.

Furthermore, the "fifth and sixth vulnerabilities" patches seem to just finish closing holes in the Content-Disposition/Content-Type vulnerabilities that MS incompletely fixed last time. Are they completely fixed now?? Can we trust MS to finish the job this time? Probably not.

And, what about frames? Was the Restricted sites not fully Restricted by default AGAIN?? Certainly my Restricted sites is fully disabled -- shouldn't it be? What were they thinking? How can they rationalize anything but a fully disabled Restricted sites?

Sorry for the rant. I am very happy to see MS fix these vulnerabilities, but many of these should have been fixed long ago. And their condescending attitude -- just don't go to any 'unknown' site -- is very annoying.

[text was edited by author 2002-05-16 08:16:17]

Time Out$
Premium Member
join:2002-04-28
North Myrtle Beach, SC

Time Out$

Premium Member

Sorry nothing, I like your Rants any old time...but I looked at exploiting these "vulnerability" from the other perspective..

d-mn I would have to know what kind of coffee you are drinking..if you used sugar..cream..or the liquor of your choice..before I could get in your face and work out a deal to use you or screw up your system...GLAD M$ is still responding..but I see this one as a hard hack to get any satisfaction or jollies for the bad guys.

cjsmith
Premium Member
join:2000-11-03
Villa Rica, GA

cjsmith to R2

Premium Member

to R2
[This is not a real ad]        



[text was edited by author 2002-05-16 09:19:02]

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2

MVM

You know Microsoft -- Safety First!
__________

Hey, you changed your image!
[text was edited by author 2002-05-16 13:03:15]

Time Out$
Premium Member
join:2002-04-28
North Myrtle Beach, SC

Time Out$

Premium Member

Keep your Thumbs out the way as I close the door !

said by R2:
You know Microsoft -- Safety First!
Sure do..just so they do not start adding up all the "costs" they are putting into this little venture into "saftey" and tack it all on to the price of the next Version of the "mountain" they want XP to climb with its buddy IE 8.0 and make everyone pay for the skiing trip again.

I think rebates are in order if you have been waxing M$ skis all these months for free..instead of enjoying the XP vacation.

You notice I said nothing about IE 7.O

..well that is the one you are going to get free next month that will totally revamp that IE 6 Security Zone.

They plan to throw out the "hole" concept and introduce the new PFJSSPP Technology.

Popper Flopper Jockitch Stopper Shieldsup Panty Proggie.

Then everyone will be all set up to enjoy the M$ .NET.

Lucif4
Premium Member
join:2000-12-12

Lucif4 to R2

Premium Member

to R2

MS02-023 does not patch actual issue!

Here we go, again... *sighs*

I think you are on to something R2, but they didn't correct the issues. So, they really need to do their homework or visit BugTraq once in awhile.

Opera is looking more and more appealing as the days/weeks go by.

MS02-023 does not patch actual issue!

Update and comments on the MS02-023 patch, holes still remain

The latest cumulative patch from Microsoft,
»www.microsoft.com/techne ··· -023.asp , promises
to eliminate "six newly discovered vulnerabilities", but fails to do so.

First, we find what MS calls "A cross-site scripting vulnerability in a
Local HTML Resource". This is obviously a reference to the dialogArguments
vulnerability, and as such this mislabelling name does not bode well to
begin with. In fact, MS seems to have misunderstood quite a number of issues
surrounding this vulnerability. The first such is found in their list of
mitigating factors:

"A successful attack requires that a user first click on a hyperlink. There
is no way to automate an attack using this vulnerability. "

The above is blatantly untrue, and was repeatedly demonstrated to MS both in
the initial notification phase and when we worked together to reproduce the
issue. Nothing in the world stops this vulnerability from being
automatically exploited.
Another 'mitigating' factor:

"Outlook 98 and 2000 (after installing the Outlook Email Security Update),
Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted
Sites Zone. As a result, customers using these products would not be at risk
from email-borne attacks. "

The above is merely misinformation on their parts. The Restricted Sites Zone
tries to disable scripting ( a requisite for the dialogArguments
vulnerability ), but many vulnerabilities allow you to circumvent this
setting ( one such listed on /unpatched/ ). As such, you can still script in
the Restricted Sites Zone, and as such "customers using these products" are
still at risk from email-borne attacks.

Aside from these misunderstandings it could appear as though Microsoft is
not actively keeping up with the security community and its publications.
The dialogArguments issue was originally demonstrated with a ressource file
only found in Internet Explorer 6- Shortly after being disclosed GreyMagic
Software highlighted how another ressource file was also vulnerable, which
existed from IE5 and onwards. Microsoft has fixed the vulnerability in IE6
_only_.

I repeat, IE5 and IE5.5 are still vulnerable.

The same severity rating (Critical) also apply to IE5 and IE5.5, with the
exception that they still remain unpatched. The demonstration was fixed
instead of the vulnerability. If you want to convince yourself about this
(and still use the appareantly unsupported IE5 or IE5.5 browser), try the
examples in GreyMagics appendix to my advisory at
»sec.greymagic.com/adv/gm001-ax/ .

Next, we find that the cssText vulnerability should be patched. Most of my
systems behave properly and appear to have this vulnerability patched,
though some still allow local file reading. More testing needed, but likely
not a job full done. So far it appears patched.

The "Script within Cookies Reading Cookies" vulnerability also have the same
incorrect 'mitigating' factor as dialogArguments, and claims that

"An attacker would have to entice a user to first click on a hyperlink to
initiate an attempt to exploit this vulnerability. There is no way to
automate an attack that exploits this vulnerability."

Of course, this is also untrue since Internet Explorer comes equipped with a
nice click method on links that a programmer can execute, duplicating an
actual click (
»msdn.microsoft.com/works ··· lick.asp
). As such, nothing stops anyone from exploiting this vulnerability
automatically.

The "zone spoofing" vulnerability sounds interesting, but I can find no
further details (MS is not exactly full disclosure).

And finally we have two variants of the "Content Disposition" vulnerability.
The first depends on an unknown thirdparty program (your guess is as good as
mine). The second depends on an executable being present, and has a
misinforming mitigating factor:

"Any attempt to exploit the vulnerability requires that the attacker host a
malicious executable on a server accessible to the intended victim. If the
hosting server is unreachable for any reason, such as DNS blocking or the
server being taken down, the attack would fail. "

The above seems to discuss an email-borne attack, and as such there is no
dependancy on external servers. Outlook can easily parse attached
executables through CID: (Content-ID) and as such this mitigating factor is
quite minute since the email itself would act as the hosting server.

Yesterday I hosted a list of 14 publickly known unpatched vulnerabilities,
today I host a list of 12 such. It can still be found at
»jscript.dk/unpatched/

Just my .02 kroner of comments

Regards
Thor Larholm
Jubii A/S - Internet Programmer

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2

MVM

Excellent follow up. I wonder why I am so pessimistic...
_____________

Does anyone else have problems going to that first link:
»online.securityfocus.com ··· -05-19/0
[text was edited by author 2002-05-16 15:25:15]

dja
Happy to Help
Premium Member
join:2002-03-25
Niagara

dja to olefin

Premium Member

to olefin

Re: Cumulative Patch for Internet Explorer (Q321232)

said by olefin:
Added today after receiving email from MS.

I always disable AV before installing any program or update.

XP home.

I think that having a RUNNING AV program during an install is VERY GOOD PROTECTION against what may be an alerted application. I know for a fact that a malicious program may be placed on a server and insert itself in all downloaded apps. I NEVER disable my AV when importing data.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay

MVM

NM!
[text was edited by author 2002-05-16 17:57:41]

Phoenix22
Death From Above
Premium Member
join:2001-12-11
SOG C&C Nrth

Phoenix22 to Time Out$

Premium Member

to Time Out$

Re: Microsoft Security Bulletin MS02-023

said by Time Out:
(Thanks to Time Out for the suggestion.)
Good luck and thanks for the heads up Luci4.

Right on Jabba !( I can say that cause I am over 40)that Poor Internet Explorer is still hanging in there, by a thread, and we do not want M$ to give any excuses why these patches might not work..so go in there naked so your AV/AT does not crash on you.
Hey well over, can I click on the red square, now???
Phoenix22

Phoenix22 to dja

Premium Member

to dja

Re: Cumulative Patch for Internet Explorer (Q321232)

said by djashley:
said by olefin:
Added today after receiving email from MS.

I always disable AV before installing any program or update.

XP home.

I think that having a RUNNING AV program during an install is VERY GOOD PROTECTION against what may be an alerted application. I know for a fact that a malicious program may be placed on a server and insert itself in all downloaded apps. I NEVER disable my AV when importing data.

I always conduct live fire drills while installing updates and..... I go down by the river when doin' "patches"........have you hugged your recoiless, today??:)
fadgly
join:2002-05-23

fadgly to R2

Member

to R2
Um, do you mean FEWER errors? :-p

Sorry, I couldn't resist...

dp
MVM
join:2000-12-08
Greensburg, PA

dp to Lucif4

MVM

to Lucif4
When is the patch coming out that fixes this patch?

Kindguy98
Lasciate ogne speranza, voi ch'intrate
join:2000-12-01
Brooklyn, NY

Kindguy98 to dja

Member

to dja
You are right. I never turn my AV off either.

parputt
Premium Member
join:2001-11-25
New Iberia, LA

parputt to Time Out$

Premium Member

to Time Out$

Re: Keep your Thumbs out the way as I close the door !

said by Time Out:

They plan to throw out the "hole" concept and introduce the new PFJSSPP Technology.

Popper Flopper Jockitch Stopper Shieldsup Panty Proggie.

Then everyone will be all set up to enjoy the M$ .NET.
Now that my friend, is funny. Good one!!!!!!!!!!!!!!!!!!!!!