-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 10:18 AM 4/25/2002, Menashe Eliezer wrote: >The vulnerabilities' list is accessible even by unprivileged user account. Only on a FAT drive- by default, only system, admin and the user have permissions to access the file. >The ability of active content to access this report depends on >security setting of the browser. >For example, signed ActiveX that runs in browser with low security >setting, doesn't need user's approval. User can also choose not be asked >whether to launch ActiveX that is signed by a specific signer. In such case, >The ActiveX doesn't have to be safe for scripting. The ActiveX can do >anything >without being scripted at all.there's no need for low security setting of >the browser. Please just stop it. This has *nothing* to do with MBSA. If people have a low browser security setting and go around downloading signed (or unsigned for that matter) ActiveX controls then that it their problem, not MBSA's. Even the examples on your web site require much interaction of the user and the explicit loading and executing of the controls. This is bogus. There IS a need for low security for the rouge ActiveX control to be downloaded in the first place. The reason the "safe for scripting" issue was raised by 3APA3A is that he knows some may have the "Script ActiveX controls marked safe for scripting" turned on... In that case, only these types of controls could be used to access the information, and they would already have to be installed and marked "safe for scripting." >You can access this report even without active content. >All you need is a limited exploit that just allows you to read a file. > >Deus Attonbitus wrote: >DA>but the script would also have to be able to discern the currently logged >DA>on user in order to see where to look in the "Documents and Settings" >tree. >1. Discern the currently logged on user - It's a simple Win32 API. >2. Code can simply look for "Security Scans" folder in tree. You contradict yourself... Without the ActiveX control, your "limited exploit" to read the file would not be able to run the API call to find out the username. You might be able to use something old to known filename in a known location, but where is the "limited exploit" that allows directory recursion? Besides, you don't even know the name of the XML file- unless you also guess the domain, the computer name scanned, and the exact date and time (to the second) that the scan was made. Let's break it down... Here is what would have to happen: 1) Admin downloads and runs MBSA. 2) MBSA tells Admin that he is running on FAT, that the IE Internet zone security is low, that the Outlook security zone is low, and that he has missing patches for known issues. 3) Admin ignores all messages, does nothing to secure his system, and goes about his day whistling "Jimmy crack corn and I don't care." 4) You magically discern who this admin is, and get him to visit your web site using Jedi Mind Trick. 5) You got Microsoft sign an ActiveX control that allows you to take full control over user's box. 6) User downloads control. 7) You use this control to read the MBSA XML file, when you already had full control over the box. 8) You find out what patches are missing and then fire off another exploit against user to further compromise system even though the game was already over. Is that about right? AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPMlqMohsmyD15h5gEQJb5ACfUz7VeL1t8tu7Um8nhP/FuotTOS0Anjne /OldNhkX9ygRivtWcwB18K9Z =OzQZ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 08:24:55 PDT