far as i know html is not dangerous even in local zone with IE ( not including the 0 day exploit thats out now) ----- Original Message ----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] To: Ken Pfeil Cc: vulnwatch@private Sent: Tuesday, March 28, 2006 5:38 PM Subject: Re: [VulnWatch] FW: failure notice But I don't get it... It's still an untrusted web site...Sharepoint "is" a web site. And if you don't know who's site it is... it still falls into the guidance of "it's not a trusted web site". Besides... antivirus vendors are so far protecting us.. Ken Pfeil wrote: >Just in case anyone uses IE with Sharepoint.. Boom. > >----- Forwarded message from secure@private ----- > Date: Tue, 28 Mar 2006 11:47:12 -0800 > From: Microsoft Security Response Center <secure@private> >Reply-To: Microsoft Security Response Center <secure@private> > Subject: RE: Another Attack Vector > To: Ken@private > >Hi Ken, > >Thanks for getting back to me. I will pass your comments on to the case >manager handling this behavior with the SharePoint team. > >Thanks, >Christopher, CISSP > >-----Original Message----- >From: Ken@private [mailto:Ken@private] >Sent: Tuesday 28 March 2006 11:42 >To: Microsoft Security Response Center >Subject: RE: Another Attack Vector > >Thank you Christopher, > >But there are a bazillion different scenarios where this could be >slightly more than detrimental. There are literally hundreds of sites >using Sharepoint for blogs, and anonymous access is an option turned on >by default. For a real working example, please open the file >IE_Exploit.txt on the below site and watch filemon dance a jig.. > >Best, >Ken > > >Quoting Microsoft Security Response Center <secure@private>: > > > >>Hi Ken, >> >>Thanks for your note. This is by-design behavior with SharePoint and >>Internet Explorer and, as you mentioned, is related to IE MIME type >>detection. The mitigating circumstance in this scenario is that >>SharePoint sites are authenticated and it would be possible to "audit >>and punish" the attacker. Just the same, I'll pass this on to the case >> >> > > > >>manager for this investigation. >> >>Thanks, >>Christopher, CISSP >> >>-----Original Message----- >>From: Ken@private [mailto:Ken@private] >>Sent: Tuesday 28 March 2006 09:16 >>To: Microsoft Security Response Center >>Subject: Another Attack Vector >> >>There is yet another attack vector for createTextRange() (besides >>untrusted websites). Windows Sharepoint. If you create a txt file with >> >> > > > >>html tags and post it, say in "Shared Documents", IE will render it as >> >> > > > >>HTML in the browser when the document is clicked on instead of >>displaying as text. Example: >>https://foo.org/Shared%20Documents/test2.txt (code is >>simple html here, but could have been dangerous). You might want to >>update your advisory to include this. >> >>(And, I know you can de-select "Open Files Based on Content, not file >>extension" under IE, but that opens your host to *other* >>vulnerabilites.) >> >>Username for the system above for a sample doc is: >>testuser with password of password. >> >>Best, >>Ken >> >> >> >> > > > > > >----- End forwarded message ----- > > > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com
This archive was generated by hypermail 2.1.3 : Wed Mar 29 2006 - 05:45:59 PST