RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)

From: Jason Coombs (jasoncat_private)
Date: Thu Feb 06 2003 - 10:03:41 PST

Next message: Carolyn Meinel: "Re: Preventing exploitation with rebasing"

Previous message: Ilya Dubinsky: "RE: Preventing exploitation with rebasing"
In reply to: John Howie: "RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)"
Next in thread: Jason Coombs: "RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)"
Reply: Jason Coombs: "RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Howie wrote:
> I disagree. From a risk perspective you need to know mitigating factors.
> To kill the hype that accompanies a newly discovered vulnerability you
> need a cool, dispassionate, overview of the problem. Your sample
> 'aggravating' factor was anything but, and would be more likely to add
> to the hype.

You're in favor of vendors publishing false statements as a means of
mitigating the threat of hype?

Microsoft, after reading their own security bulletins, mistakenly concludes
that privilege elevation vulnerabilities like MS03-005 "cannot be exploited
remotely."

A privilege elevation threat is in some ways more critical than a buffer
overflow. The reason is that there are attackers out there (especially
insiders) who have been sitting in a position to execute arbitrary code
under unprivileged user account security contexts for years, looking for a
way to elevate privileges. MS03-005 may unleash those pending threats,
because employers routinely "share between users" Windows boxes deployed
within the organization. By design an Active Directory-based network is
"shared between users".

And you should be aware that Windows is not just for the desktop anymore.
Windows is being used as the foundation of Web hosting providers' commercial
services, and Web hosting under Windows is designed to be extensible and
programmable; a privilege elevation exploit that can be mounted by your
neighbor on a shared Web hosting box directly impacts your security. The
entire threat in this case is remote, because it happens on somebody else's
server box where you rent space. To claim that a privilege elevation attack
cannot be exploited remotely is to fail to consider the real world usage
scenarios in which attacks really occur.

I'm sure you've seen as many examples of vendors believing their own
propaganda as I have over the years. A vendor who habitually misstates and
mischaracterizes the risk posed by their products does a lot of harm, and
guarantees that incidents will occur in the future that create far more hype
than would emphasizing the extreme possibilities for exploitation of each
vulnerability in the first place.

Besides, I thought our collective infosec goal was to prevent incidents, not
work together to prevent hype.

Jason Coombs
jasoncat_private

Next message: Carolyn Meinel: "Re: Preventing exploitation with rebasing"
Previous message: Ilya Dubinsky: "RE: Preventing exploitation with rebasing"
In reply to: John Howie: "RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)"
Next in thread: Jason Coombs: "RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)"
Reply: Jason Coombs: "RE: Microsoft Security Bulletin MS03-005: Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 08:49:21 PST