Re: [VulnWatch] FW: failure notice

From: Michael Evanchik (mike@private)
Date: Tue Mar 28 2006 - 18:38:52 PST


far as i know html is not dangerous even in local zone with IE ( not including the 0 day exploit thats out now)
  ----- Original Message ----- 
  From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
  To: Ken Pfeil 
  Cc: vulnwatch@private 
  Sent: Tuesday, March 28, 2006 5:38 PM
  Subject: Re: [VulnWatch] FW: failure notice


  But I don't get it...

  It's still an untrusted web site...Sharepoint "is" a web site.

  And if you don't know who's site it is... it still falls into the 
  guidance of "it's not a trusted web site".

  Besides... antivirus vendors are so far protecting us..

  Ken Pfeil wrote:

  >Just in case anyone uses IE with Sharepoint.. Boom.
  >
  >----- Forwarded message from secure@private -----
  >    Date: Tue, 28 Mar 2006 11:47:12 -0800
  >    From: Microsoft Security Response Center <secure@private>
  >Reply-To: Microsoft Security Response Center <secure@private>
  > Subject: RE: Another Attack Vector
  >      To: Ken@private
  >
  >Hi Ken,
  >
  >Thanks for getting back to me. I will pass your comments on to the case
  >manager handling this behavior with the SharePoint team.
  >
  >Thanks,
  >Christopher, CISSP
  >
  >-----Original Message-----
  >From: Ken@private [mailto:Ken@private]
  >Sent: Tuesday 28 March 2006 11:42
  >To: Microsoft Security Response Center
  >Subject: RE: Another Attack Vector
  >
  >Thank you Christopher,
  >
  >But there are a bazillion different scenarios where this could be
  >slightly more than detrimental. There are literally hundreds of sites
  >using Sharepoint for blogs, and anonymous access is an option turned on
  >by default. For a real working example, please open the file
  >IE_Exploit.txt on the below site and watch filemon dance a jig..
  >
  >Best,
  >Ken
  >
  >
  >Quoting Microsoft Security Response Center <secure@private>:
  >
  >  
  >
  >>Hi Ken,
  >>
  >>Thanks for your note. This is by-design behavior with SharePoint and
  >>Internet Explorer and, as you mentioned, is related to IE MIME type
  >>detection. The mitigating circumstance in this scenario is that
  >>SharePoint sites are authenticated and it would be possible to "audit
  >>and punish" the attacker. Just the same, I'll pass this on to the case
  >>    
  >>
  >
  >  
  >
  >>manager for this investigation.
  >>
  >>Thanks,
  >>Christopher, CISSP
  >>
  >>-----Original Message-----
  >>From: Ken@private [mailto:Ken@private]
  >>Sent: Tuesday 28 March 2006 09:16
  >>To: Microsoft Security Response Center
  >>Subject: Another Attack Vector
  >>
  >>There is yet another attack vector for createTextRange() (besides
  >>untrusted websites). Windows Sharepoint. If you create a txt file with
  >>    
  >>
  >
  >  
  >
  >>html tags and post it, say in "Shared Documents", IE will render it as
  >>    
  >>
  >
  >  
  >
  >>HTML in the browser when the document is clicked on instead of
  >>displaying as text. Example:
  >>https://foo.org/Shared%20Documents/test2.txt (code is
  >>simple html here, but could have been dangerous). You might want to
  >>update your advisory to include this.
  >>
  >>(And, I know you can de-select "Open Files Based on Content, not file
  >>extension" under IE, but that opens your host to *other*
  >>vulnerabilites.)
  >>
  >>Username for the system above for a sample doc is:
  >>testuser with password of password.
  >>
  >>Best,
  >>Ken
  >>
  >>
  >>    
  >>
  >
  >
  >
  >
  >
  >----- End forwarded message -----
  >
  >
  >
  >  
  >

  -- 
  Letting your vendors set your risk analysis these days?  
  http://www.threatcode.com



This archive was generated by hypermail 2.1.3 : Wed Mar 29 2006 - 05:45:59 PST