Bugtraq mailing list archives
Re: FW: Microsoft Security Update
From: xenophi1e <oliver.lavery () sympatico ca>
Date: 5 Sep 2003 00:00:51 -0000
In-Reply-To: <000301c3726e$5f919010$0200000a@JumperLappy>
MS03-038 (code execution in Access Snapshot Viewer, an ActiveX control)
got
a rating of Moderate for webpage based exploits but completely forgets to mention HTML email.
While we're criticizing MS's handling of this series of goof-ups I'd like to point out a bit of MS-03-038 which I suspect most people overlooked: <quote> To remove the ability for the old control to be reintroduced on a user’s system, a kill bit will be issued for the old control in a forthcoming Internet Explorer security patch. </quote> In other words MS has not yet set the kill bit on this control. Yet old versions are in widespread circulation and both HTML email and web pages can be used as an attack vector. Wonderful. Well done. I'm glad I sat on this for months waiting for MS to tell the world how to exploit it, and do nothing of substance to protect the majority of users (those who don't use Access or do not have the control installed). Although I wouldn't argue with the moderate rating. IMHO they should just change their severity levels to Massive Disruption of Critical Services, Vicious, Horrible, and Really Bad. *sigh* ~x
Current thread:
- FW: Microsoft Security Update Thor Larholm (Sep 04)
- RE: Microsoft Security Update Luke Smith (Sep 04)
- RE: Microsoft Security Update Andrew Ruef (Sep 05)
- Re: FW: Microsoft Security Update Paul Tinsley (Sep 05)
- <Possible follow-ups>
- Re: FW: Microsoft Security Update xenophi1e (Sep 04)
- RE: Microsoft Security Update Luke Smith (Sep 04)