Bugtraq mailing list archives
RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)
From: "Jason Coombs" <jasonc () science org>
Date: Thu, 6 Feb 2003 08:03:41 -1000
John Howie wrote:
I disagree. From a risk perspective you need to know mitigating factors. To kill the hype that accompanies a newly discovered vulnerability you need a cool, dispassionate, overview of the problem. Your sample 'aggravating' factor was anything but, and would be more likely to add to the hype.
You're in favor of vendors publishing false statements as a means of mitigating the threat of hype? Microsoft, after reading their own security bulletins, mistakenly concludes that privilege elevation vulnerabilities like MS03-005 "cannot be exploited remotely." A privilege elevation threat is in some ways more critical than a buffer overflow. The reason is that there are attackers out there (especially insiders) who have been sitting in a position to execute arbitrary code under unprivileged user account security contexts for years, looking for a way to elevate privileges. MS03-005 may unleash those pending threats, because employers routinely "share between users" Windows boxes deployed within the organization. By design an Active Directory-based network is "shared between users". And you should be aware that Windows is not just for the desktop anymore. Windows is being used as the foundation of Web hosting providers' commercial services, and Web hosting under Windows is designed to be extensible and programmable; a privilege elevation exploit that can be mounted by your neighbor on a shared Web hosting box directly impacts your security. The entire threat in this case is remote, because it happens on somebody else's server box where you rent space. To claim that a privilege elevation attack cannot be exploited remotely is to fail to consider the real world usage scenarios in which attacks really occur. I'm sure you've seen as many examples of vendors believing their own propaganda as I have over the years. A vendor who habitually misstates and mischaracterizes the risk posed by their products does a lot of harm, and guarantees that incidents will occur in the future that create far more hype than would emphasizing the extreme possibilities for exploitation of each vulnerability in the first place. Besides, I thought our collective infosec goal was to prevent incidents, not work together to prevent hype. Jason Coombs jasonc () science org
Current thread:
- FW: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) Jason Coombs (Feb 06)
- <Possible follow-ups>
- RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) John Howie (Feb 06)
- Re: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) Florian Weimer (Feb 06)
- RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) Jason Coombs (Feb 07)