[ISN] The Microsoft Security Bulletin They Won't Issue

From: InfoSec News (isnat_private)
Date: Fri Aug 22 2003 - 01:38:02 PDT

  • Next message: InfoSec News: "[ISN] Navy purchase cards hacked"

    Forwarded from: Richard Forno <rfornoat_private>
    
    The Microsoft Security Bulletin they -=should=- issue, but won't.  :)
    
    -rick
    Infowarrior.org
    
    -----------------------------------------------------------------
    
    Title:   Ongoing Compromises of the Windows Operating Environment
    Date:   20 August 2003
    
    Software:  
    
    - Microsoft Windows 3.1
    - Microsoft Windows 95
    - Microsoft Windows 98
    - Microsoft Windows NT 4.0
    - Microsoft Windows SE
    - Microsoft Windows ME
    - Microsoft Windows 2000
    - Microsoft Windows 2000 Server
    - Microsoft Windows XP
    - Microsoft Windows Server 2003
    
    Impact:      Run code of the attacker's choice
    Max Risk:   Important
    Bulletin:     MS02-0401 (REVISED)
    
    Microsoft encourages customers to review Security Information at:
    http://www.microsoft.com/security on a regular basis, and subscribe to
    CERT/CC bulletins at http://www.cert.org.
    -----------------------------------------------------------------
    
    Issue:
    =====
    
    Microsoft Windows is a collection of software components that enable users
    to experience the Internet. All components share a common series of
    interfaces that taken together comprise the Windows Operating Environment.
    
    - By default, Internet Explorer is enabled on all systems running Microsoft
    Windows. (It should be noted that there are substantial issues with Internet
    Explorer reported; users should consult the Microsoft Security Resource
    Center to obtain the appropriate patches.)
    
    - Insecure scripting languages such as VBScripting are used throughout the
    Microsoft Windows Operating Environment and included in many Microsoft
    applications such as Microsoft Office. Users have reported that it is
    difficult, if not impossible, to completely remove such scripting features
    even though they are proven to be regularly exploitable, thus making it
    likely they will be subject to repeated exploitation.
    
    - Microsoft products often integrate with the operating system internals,
    meaning that by installing new software, particularly from Microsoft, the
    operating system may become modified and thus provide an opportunity to
    introduce new vulnerabilities or exploit trusted relationships within the
    Windows Operating Environment. As such, many applications are difficult to
    uninstall completely from a computer since they may be serving as patches to
    the underlying operating system.
    
    - Improper software development has facilitated repeated security incidents
    resulting in the loss of customer information, e-mail addresses, system
    downtime, and customer productivity in environments based on the Microsoft
    Windows Operating Environment. User misconfiguration is also a factor.
    
    - Microsoft products are often rushed to market without a thorough check of
    the software quality. Buffer overflows are one result of this issue, and
    after several years of high-profile incidents, continue to impact the
    technology community instead of being fixed once and for all. Microsoft
    notes that it frequently releases patches to existing patches and believes
    this is the best way for users to stay protected given Microsoft's current
    software development and business practices.
    
    - Due to the frequency of patches and critical fixes being released to the
    user community, it's quite likely that many network administrators are
    hesitant to install such patches, since the cure may be worse than the
    original problem, or even create new ones, as evidenced by issues arising
    from several Windows Service Packs over the years.
    
    -  Despite advances in marketing a concept of "Trustworthy Computing" it is
    unlikely that there will be any single solution to remedy the many issues
    associated with the security and stability of Microsoft products.
    
    Microsoft prides itself on innovation and consistency in developing new and
    exciting software products. Over the years, customers have come to expect
    this as a hallmark of how Microsoft does business. The fact that each new
    security incident resulting from Microsoft products presents a higher degree
    of danger to the Internet community is one example of our ability to produce
    software products in a consistent manner with regard to quality assurance,
    reliability, and security. We reiterate our pledge to provide software
    products with a consistent level of quality to our customers worldwide.
    
    
    Mitigating Factors:
    ====================
    
    - For an attack against Microsoft Operating Environment to be successful,
    the user/victim must be running an exploitable version of Microsoft Windows.
    
    - Microsoft Windows systems operating in closed network environments stand a
    somewhat higher chance of survivability when new security incidents
    regarding Microsoft products is reported than other, more exposed systems.
    Systems that are not connected to a network are most secure from such
    network-based exploits.
    
    
    Risk Rating:
    ============
    
    - Important
    
    
    Patch Availability:
    ===================
    
    - No patches are available to fix this vulnerability. However, there are
    three technical actions for users to take to increase their level of
    operating system and information security:
    
    (1) Boot the affected computer from a floppy disk.
    
    (2) At the command prompt, type "format c: /sys."  For more severely-damaged
    systems, run the FDISK command. (Visit http://fdisk.radified.com/ for
    information on this Microsoft-produced disk utility.)
    
    (3) Once complete, decide on what non-Microsoft operating system you would
    like to use instead. Some suggested ones are Linux and Mac OSX. (Note that
    users will need new hardware to take full advantage of Mac OSX.) Users are
    strongly advised to avoid anything with the words "SCO" or "UnixWare" in it,
    as these words represent a company that's almost as greedy and evil as we
    are at Microsoft.
    
    This Advisory supersedes Microsoft Security Bulletin MS02-0401 "Local User
    Actions May Provide Unauthorized Remote Access" dated 1 April 2002. This
    Bulletin may be found at http://www.infowarrior.org/articles/2002-04.html.
    
    
    Acknowledgment: 
    =============== 
    
    Microsoft thanks Richard Forno for reporting this issue to us and for
    working with us to help protect customers. Richard Forno
    (www.infowarrior.org) thanks the internet community for recognizing a
    belated (but quite truthful) April Fools' joke when they see it.  :)  He
    further thanks Microsoft for producing products that not only keep him and
    his friends employed as IT and security professonals but continue to pollute
    the Internet and adversely impact on people not even running Windows. Thanks
    a bunch, guys.
    
    ----------------------------------------------------------------
    
    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
    WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
    EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
    FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
    SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
    INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
    IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
    LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
    FOREGOING LIMITATION MAY NOT APPLY. MICROSOFT HAS NO KNOWLEDGE OF THIS APRIL
    FOOLS SATIRE AND HAS NOT ENDORSED IT, NOR DID THIS 'SECURITY BULLETIN'
    ORIGINATE FROM ANY MICROSOFT OFFICE. IT'S A SATIRE -- SO READ IT, LAUGH, AND
    HOPEFULLY LEARN FROM IT. :)  MICROSOFT IS A TRADEMARK OF MICROSOFT CORP.
    
    -----BEGIN PGP SIGNATURE----- 
    Version: PGP 7.1
    
    iQEVAwUBP0LEf40ZSRQxA/UrAQGjdgf/cI1c4F3brtV3vKxg7UrySrpwOGlKjqy6
    AL3pfhbXfNQENTfDB1xjhwVeKBKUUdKWZqsK7g0rEdJJOeZeCuJXGlTd78xcrU5j
    Znqi3rpDNAnflmc9MNrB1bAnacHrug6N8SSryoIEZZIjB2v+vkCQhTEMybFZ7eUV
    ICF1xP0qf+h7/aw6TrR/yNTuYUiZWFvU/BfnRPl6bGfqQafv+IU0K+k6jG/7Q4Vx
    Kacv213W0sWWMk3KIognlMACwG9E6m2rVwvA1hilUuFLzwd1ZyHYEsLsy8C5XPFS
    lS5jtGzTznepbJEvSogVc/QSB70pcDrdqF4MDMkQxTrsKeyO0ieIQQ== =+krE
    
    -----END PGP SIGNATURE-----
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 05:09:58 PDT