Bugtraq mailing list archives

Re: SANS Flash: Most dangerous flaw found in Windows workstations, Fix available.

From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Tue, 18 Jul 2000 13:31:48 -0700

I've gotten enough inquiries about this that I am posting this message.
SANS recently sent out an email alert titled "SANS Flash: Most dangerous
flaw found in Windows workstations, Fix available."

The vulnerability they describe is not new. If you read their message
closely you'll see that it was published back in June 27 by Georgi
Guniski in BUGTRAQ and that Microsoft published an advisory about it
on July 14.

The message claims that they "developed this exploit further and
realized that this is one of the most serious exploits of Windows
workstations in the last several years". What exactly "further" they
found is anyones guess. Georgi's message is clear enough about the
problem. I don't know what SANS gets by releasing old information as new.

In his message Georgi clearly describes how you can penetrate someone's
machine when they visit a web page or read an email message by creating
a malicious Access database file.

Furthermore in a follow up message Paul Rogers pointed out the
setting IE's setting of "Run ActiveX controls and plug-ins" to
Prompt of Disable would not stop the vulnerability.

You can find more information about the problem at
http://www.securityfocus.com/bid/1398

Its also silly for SANS to call this the "most dangerous flaw found in
Windows workstations". It this a dangerous flaw? Yes, very much so.
But there have been flaws in the past that have been worse. For example,
the MIME buffer overflow in email clients such as Netscape and Outlook.
Remember for this problem to work you need to have Access installed.

As a matter of fact I consider the problem announced today about
a buffer overflow vulnerability in Outlook and Outlook Express to
be more dangerous as it does not require any other program to be
installed.

For information about that problem can be found at
http://www.securityfocus.com/bid/1481

Of more interest, and something that SANS fails to point out, is that
Microsoft has not really implemented a fix to the problem. In their
MS00-049 advisory Microsoft provides a workaround to the problem not
a real fix. At least the advisory FAQ states they are working and
will be releasing a real patch.

I would also caution anyone from using a vulnerability to patch a
vulnerability. Most vulnerabilities are bugs and do not have well defined
behavior. As such trying to use is as a mechanism to apply fixes is
a risky proposition. While certainly an intriguing if well known idea
it may not perform reliably and you will be left with a false sense of
security if it fails to fix the problem.

Guniski's original message to BUGTRAQ can be found at
39589359.762392DB () nat bg">http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589359.762392DB () nat
bg</A>

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Current thread:

Re: SANS Flash: Most dangerous flaw found in Windows workstations, Fix available. Elias Levy (Jul 18)
- Aaron Drew - Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients Ussr Labs (Jul 18)
- Re: SANS Flash: Most dangerous flaw found in Windows workstations, Fix available. CERT Coordination Center (Jul 18)