mailing list archives
Fw: Notes on MS02-068, extensive downplaying of severity
From: "Thor Larholm" <lists.netsys.com () jscript dk>
Date: Thu, 5 Dec 2002 14:42:52 +0100
----- Original Message -----
From: "Thor Larholm" <thor () pivx com>
To: <bugtraq () securityfocus com>
Sent: Thursday, December 05, 2002 2:41 PM
Subject: Notes on MS02-068, extensive downplaying of severity
Following the release of the cumulative MS02-066 patch from the previous
week, Microsoft has released yet another cumulative patch for Internet
Explorer - MS02-068, which can be found at
The sole vulnerability that MS02-068 patches is the "external object
caching" vulnerability discovered by GreyMagic Software. The rater
surprising aspects of this bulletin is the extensive downplaying of
and the incorrect mitigating factors.
Microsoft has given this vulnerability a maximum severity rating of
"Moderate". Great, so arbitrary command execution, local file reading and
complete system compromise is now only moderately severe, according to
Moving on to the technical description, we see yet more inaccuracies. The
entire first paragraph is a falsum:
"Exploiting the vulnerability could enable an attacker to read, but not
change, any file on the user's local computer. In addition, the attacker
could invoke an executable that was already present on the local system.
attacker would need to know the exact location of the executable, and
not be able to pass parameters to it. Microsoft is not aware of any
executable that ships by default as part of Windows and, when run without
parameters, could be dangerous. "
Allow me to rephrase:
Exploiting the vulnerability could enable an attacker to perform any
on the local computer that the user being exploited can perform. This
includes, but is not limited to, reading and changing any file on the
local computer, forcefully placing arbitrary files on the system in any
location and invoking any executable on the system both with and without
Further down we find yet more inaccuracies:
"Without the ability to pass parameters, it's unlikely that an attacker
could do much. For instance, although the attacker could run the command
prompt, he couldn't pass a command (e.g., format c:) to it. "
"This vulnerability provides no way for an attacker to transfer a program
their choice to the user's system. "
Since we can already create and execute arbitrary command scripts on the
machine, I fail to see how the above can be remotely accurate.
this is as simple as creating and executing an automated FTP script, or
merely recreating an EXE file from an embedded string in the HTML.
Microsoft are very much aware of this, and even modified the MS02-066
bulletin (following the post from GreyMagic on Bugtraq) to provide
assistance in mitigating how the HTML Help control can execute commands in
the local zone.
It seems like Microsoft are deliberately downplaying the severity of their
vulnerabilities in an attempt to gain less bad press. It sure would look
to release 2 critical cumulative updates in just 2 weeks, but that is
exactly what has been done. As it stands now, the bulletin is released and
most journalists willing to comment have already noticed the "Moderate"
label and the extensive list of (incorrect) mitigating factors, and quite
likely will not write anything on just how severe this really is. I doubt
most people care to read the revisions to the bulletin that will come
There are currently 18 unpatched publicly known vulnerabilities in
Explorer, of which I have labelled 6 as severe.
Thor Larholm, Security Researcher
PivX Solutions, LLC
Strike Now, StrikeFirst!
Full-Disclosure - We believe in it.
- Fw: Notes on MS02-068, extensive downplaying of severity Thor Larholm (Dec 05)