Re: [VulnWatch] FW: failure notice

["Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>]

But I don't get it...

It's still an untrusted web site...Sharepoint "is" a web site.

And if you don't know who's site it is... it still falls into the 
guidance of "it's not a trusted web site".

Besides... antivirus vendors are so far protecting us..

Ken Pfeil wrote:

> Just in case anyone uses IE with Sharepoint.. Boom.
>
> ----- Forwarded message from secure@xxxxxxxxxxxxx -----
>    Date: Tue, 28 Mar 2006 11:47:12 -0800
>    From: Microsoft Security Response Center <secure@xxxxxxxxxxxxx>
> Reply-To: Microsoft Security Response Center <secure@xxxxxxxxxxxxx>
> Subject: RE: Another Attack Vector
>      To: Ken@xxxxxxxxxxxxxx
>
> Hi Ken,
>
> Thanks for getting back to me. I will pass your comments on to the case
> manager handling this behavior with the SharePoint team.
>
> Thanks,
> Christopher, CISSP
>
> -----Original Message-----
> From: Ken@xxxxxxxxxxxxxx [mailto:Ken@xxxxxxxxxxxxxx]
> Sent: Tuesday 28 March 2006 11:42
> To: Microsoft Security Response Center
> Subject: RE: Another Attack Vector
>
> Thank you Christopher,
>
> But there are a bazillion different scenarios where this could be
> slightly more than detrimental. There are literally hundreds of sites
> using Sharepoint for blogs, and anonymous access is an option turned on
> by default. For a real working example, please open the file
> IE_Exploit.txt on the below site and watch filemon dance a jig..
>
> Best,
> Ken
>
>
> Quoting Microsoft Security Response Center <secure@xxxxxxxxxxxxx>:
>
>  
>
> > Hi Ken,
> >
> > Thanks for your note. This is by-design behavior with SharePoint and
> > Internet Explorer and, as you mentioned, is related to IE MIME type
> > detection. The mitigating circumstance in this scenario is that
> > SharePoint sites are authenticated and it would be possible to "audit
> > and punish" the attacker. Just the same, I'll pass this on to the case
> >    
>
>  
>
> > manager for this investigation.
> >
> > Thanks,
> > Christopher, CISSP
> >
> > -----Original Message-----
> > From: Ken@xxxxxxxxxxxxxx [mailto:Ken@xxxxxxxxxxxxxx]
> > Sent: Tuesday 28 March 2006 09:16
> > To: Microsoft Security Response Center
> > Subject: Another Attack Vector
> >
> > There is yet another attack vector for createTextRange() (besides
> > untrusted websites). Windows Sharepoint. If you create a txt file with
> >    
>
>  
>
> > html tags and post it, say in "Shared Documents", IE will render it as
> >    
>
>  
>
> > HTML in the browser when the document is clicked on instead of
> > displaying as text. Example:
> > https://foo.org/Shared%20Documents/test2.txt (code is
> > simple html here, but could have been dangerous). You might want to
> > update your advisory to include this.
> >
> > (And, I know you can de-select "Open Files Based on Content, not file
> > extension" under IE, but that opens your host to *other*
> > vulnerabilites.)
> >
> > Username for the system above for a sample doc is:
> > testuser with password of password.
> >
> > Best,
> > Ken
> >
> >
> >    
>
>
>
>
>
> ----- End forwarded message -----
>
>
>
>  

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com