Re: [ISN] Microsoft Security Bulletin (MS98-010)

From: mea culpa (jerichoat_private)
Date: Wed Aug 05 1998 - 13:13:55 PDT

  • Next message: mea culpa: "Re: [ISN] Entrust Goes to Round One (crypto)"

    From: <anonymous>
    
    Microsoft Product Security Response Team wrote:
    
    > The Truth About BackOrifice
    <snip>
    > BackOrifice does not compromise the security of a Windows network.
    > Instead, it relies on the user to install it and, once installed, has  only
    > the rights and privileges that that the user has on the computer.
    
    	Unless I am sorely mistaken, BackOrifice was never touted as an
    "attacking intrusion" utility (i.e., a trojan horse).  It was touted as a
    program which could be utilized by a user to intrude on other systems. 
    Stating that BackOrifice does not compromise a Windows network or system
    is analogous to stating that L0phtcrack does not compromise a Windows
    network or system.  The statement is true, but inaccurate and misleading; 
    thus giving users a false sense of security.
    
    > For a BackOrifice attack to succeed, a chain of very specific events  must
    > happen:
    >  - The user must deliberately install, or be tricked into
    >    installing the program
    >  - The attacker must know the user's IP address
    >  - The attacker must be able to directly address the user's
    >    computer; e.g., there must not be a firewall between the
    >    attacker and the user.
    
    	Installing is no problem.
    
    	Knowing an IP address is no problem.
    
    	Directly accessing said IP address is rarely a problem.
    
    	Hence, there _is_ a problem.
    
    > What Does This Mean for Customers Running Windows 95 and Windows 98?
    > ====================================================================
    > BackOrifice is unlikely to pose a threat to the vast majority of   Windows
    > 95 or Windows 98 users, especially those who follow safe  internet computing
    > practices.
    
    	Experience has shown that the bulk of Windows users don't know the
    first thing about "safe internet computing practices."  These are the same
    caliber of people who think the "Good Times Virus" is real, for goodness
    sakes.  Does Microsoft _really_ expect Joe and Jane User to understand,
    let alone implement, "safe internet computing practices"??
    
    > Clearly, users should prevent this installation by following good
    > practices like not downloading unsigned executables, and by insulating
    > themselves from direct connection to the Internet with Proxy Servers
    > and/or firewalls wherever possible. 
    
    	Joe Lamer on Generic ISP isn't often afforded that arrangement,
    Microsoft.
    
    	Microsoft, your products are vulnerable.  Deal with it.  Don't
    pass the buck... 
    
    	...again.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:24 PDT