funsec mailing list archives

Previous By Date Next
Previous By Thread Next

MS06-015 Quietly Patching Publicly-Reported Vulnerabilities

From: Matthew Murphy <mattmurphy () kc rr com>
Date: Tue, 11 Apr 2006 19:55:42 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Amidst the dozen-or-so vulnerabilities patched by Microsoft's security
bulletins today, something about one of them stood out to me:

    "This security update includes a Defense in Depth
     change which ensures that prompting occurs consistently
     in Internet zone drag and drop scenarios."

The "drag and drop scenarios" wording seems eerily similar to that of my
earlier public report on February 13th about drag-and-drop issues in the
browser.  If nothing else, the timing is very curious.  Microsoft does
not note what (if any) CVEs are of relevance to this "defense in depth"
change.

More interesting is that it's not an IE patch, but a shell fix, that is
involved in this case.  The reason that's interesting is because I was
specifically informed by MSRC that the vulnerability would be fixed as
part of a shell defense-in-depth change.

It looks, based purely on the information in the bulletin and no testing
of my own, that MS may have attempted to quietly patch CVE-2005-3240 --
the drag-and-drop issue I reported.  Such a semi-documented fix wouldn't
be the only one in MS06-015.  The FAQ section of the "Windows Shell
Vulnerability" item also notes:

    "The update for this vulnerability also addresses a
     publicly disclosed variation that has been assigned
     Common Vulnerability and Exposure number CVE-2004-2289."

Props to Steve Christie for spotting that.

Draw your own conclusions on this, but it looks to me that Microsoft is
attempting to quietly patch publicly reported vulnerabilities where the
company took its sweet time to issue fixes.  At the very least, the way
the information was published in MS06-015 is extremely misleading to
Microsoft customers who have been lead to believe that the patch is
designed to close one specific, privately-reported, previously-unknown
vulnerability.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEPFAOfp4vUrVETTgRAw5lAKCHg3oIrtpi/rSgZaR7G+2aMTj8WACghpMJ
5QpjTyaoTJUFbnfHuFqD0LI=
=Wv9w
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: