[ISN] Microsoft Security Under Fire

From: InfoSec News (isnat_private)
Date: Tue Aug 20 2002 - 05:38:42 PDT

  • Next message: InfoSec News: "[ISN] Hiding in the noise and chaos"

    August 19, 2002 
    By Dennis Fisher 
    Microsoft Corp.'s commitment to security, specifically its Trustworthy
    Computing initiative, is being questioned after its inaction regarding
    two new reports of security vulnerabilities in its products, security
    experts say.
    Twice in the past three weeks, experts have issued reports of security
    flaws in Microsoft products, and both times the company remained
    silent, making no immediate public comment and issuing no fix.
    The lack of communication has left users wondering if patches were in
    the works or even if the reported problems were legitimate.
    The most recent report, posted to SecurityFocus' BugTraq mailing list
    by researcher Mike Benham, explained a flaw in the way Internet
    Explorer handles digital certificates used in SSL (Secure Sockets
    Layer) connections to remote Web servers. Such certificates are
    typically issued and signed by CAs (certificate authorities) such as
    VeriSign Inc., which lists the Web site that owns them.
    Benham found that most current versions of Microsoft's Web browser
    fail to check the legitimacy of certificates issued by intermediate
    CAs. As a result, a malicious Web site operator could generate and
    sign a fake certificate for another site and collect credit card
    information and other data.
    KDE Project's Konqueror is also vulnerable, but a patch was issued to
    secure that browser within hours of the disclosure. AOL Time Warner
    Inc.'s Netscape Navigator and Opera Software ASA's Opera browsers are
    not susceptible to the problem.
    While KDE was fixing the problem, Microsoft officials would say only
    that the company was investigating it. Nine days after the advisory
    was published, Microsoft posted an article to its TechNet site
    explaining the flaw and saying that the scenario and the likelihood of
    an attacker being caught make exploitation of the vulnerability
    Microsoft security officials said the delay was necessary to
    investigate the issue, since Benham released his advisory without
    notifying Microsoft first. The company said it will issue a patch, but
    officials could not say when.
    "It's in the nature of these issues that we have to do highly detailed
    research," said Scott Culp, manager of the Microsoft Security Response
    Center, in Redmond, Wash.
    Some customers are fed up.
    "It is truly frustrating. I have vowed to eliminate using any
    Microsoft products because I am so frustrated over their 'Take a
    standard and modify it' approach," said James Rome, a senior scientist
    at Oak Ridge National Laboratory, in Oak Ridge, Tenn. "[But] it is
    impossible to not use IE. It lurks under the covers everywhere. If you
    do something like disable scripting in IE, other applications break."
    Others say that the problems often don't end when Microsoft does issue
    a patch.
    "From the outside, there doesn't appear to be a reason Microsoft can't
    fix the immediate issue," said Scott Blake, vice president of
    information security at BindView Corp., in Houston.
    "[However] it doesn't solve the larger problem that it is possible to
    social engineer people into giving away confidential information over
    the Web to people they don't intend to give it to," Blake said. "This
    flaw makes it easier, but fixing [it] doesn't fix the problem."
    Culp said the SSL problem is actually in the Windows code and not IE,
    which would complicate the process of producing a patch.
    A similar situation occurred earlier this month when a researcher
    released a white paper claiming that the Win32 programming API in
    Windows is flawed in a way that allows attackers to gain escalated
    privileges once they've accessed a PC. Microsoft did not respond to
    the author, nor did it make any public statements about the issue.
    "They can't say anything definitive until they really know for sure,
    but they should make some statement," said Chris Wysopal, director of
    research and development at @Stake Inc., a Cambridge, Mass., security
    consultancy and research company. "[The SSL problem] isn't a totally
    simple issue. But when they stay silent, it looks like they don't
    Wysopal also disputed Microsoft's claims that attacks using the SSL
    vulnerability are unlikely. An attacker would use a stolen SSL
    certificate-not his own-making identification of the attacker much
    more difficult.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 08:27:13 PDT