[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [VulnWatch] FW: failure notice
- To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>, "Ken Pfeil" <Ken@xxxxxxxxxxxxxx>
- Subject: Re: [VulnWatch] FW: failure notice
- From: "Michael Evanchik" <mike@xxxxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Mar 2006 21:38:52 -0500
far as i know html is not dangerous even in local zone with IE ( not including
the 0 day exploit thats out now)
----- Original Message -----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
To: Ken Pfeil
Cc: vulnwatch@xxxxxxxxxxxxx
Sent: Tuesday, March 28, 2006 5:38 PM
Subject: Re: [VulnWatch] FW: failure notice
But I don't get it...
It's still an untrusted web site...Sharepoint "is" a web site.
And if you don't know who's site it is... it still falls into the
guidance of "it's not a trusted web site".
Besides... antivirus vendors are so far protecting us..
Ken Pfeil wrote:
>Just in case anyone uses IE with Sharepoint.. Boom.
>
>----- Forwarded message from secure@xxxxxxxxxxxxx -----
> Date: Tue, 28 Mar 2006 11:47:12 -0800
> From: Microsoft Security Response Center <secure@xxxxxxxxxxxxx>
>Reply-To: Microsoft Security Response Center <secure@xxxxxxxxxxxxx>
> Subject: RE: Another Attack Vector
> To: Ken@xxxxxxxxxxxxxx
>
>Hi Ken,
>
>Thanks for getting back to me. I will pass your comments on to the case
>manager handling this behavior with the SharePoint team.
>
>Thanks,
>Christopher, CISSP
>
>-----Original Message-----
>From: Ken@xxxxxxxxxxxxxx [mailto:Ken@xxxxxxxxxxxxxx]
>Sent: Tuesday 28 March 2006 11:42
>To: Microsoft Security Response Center
>Subject: RE: Another Attack Vector
>
>Thank you Christopher,
>
>But there are a bazillion different scenarios where this could be
>slightly more than detrimental. There are literally hundreds of sites
>using Sharepoint for blogs, and anonymous access is an option turned on
>by default. For a real working example, please open the file
>IE_Exploit.txt on the below site and watch filemon dance a jig..
>
>Best,
>Ken
>
>
>Quoting Microsoft Security Response Center <secure@xxxxxxxxxxxxx>:
>
>
>
>>Hi Ken,
>>
>>Thanks for your note. This is by-design behavior with SharePoint and
>>Internet Explorer and, as you mentioned, is related to IE MIME type
>>detection. The mitigating circumstance in this scenario is that
>>SharePoint sites are authenticated and it would be possible to "audit
>>and punish" the attacker. Just the same, I'll pass this on to the case
>>
>>
>
>
>
>>manager for this investigation.
>>
>>Thanks,
>>Christopher, CISSP
>>
>>-----Original Message-----
>>From: Ken@xxxxxxxxxxxxxx [mailto:Ken@xxxxxxxxxxxxxx]
>>Sent: Tuesday 28 March 2006 09:16
>>To: Microsoft Security Response Center
>>Subject: Another Attack Vector
>>
>>There is yet another attack vector for createTextRange() (besides
>>untrusted websites). Windows Sharepoint. If you create a txt file with
>>
>>
>
>
>
>>html tags and post it, say in "Shared Documents", IE will render it as
>>
>>
>
>
>
>>HTML in the browser when the document is clicked on instead of
>>displaying as text. Example:
>>https://foo.org/Shared%20Documents/test2.txt (code is
>>simple html here, but could have been dangerous). You might want to
>>update your advisory to include this.
>>
>>(And, I know you can de-select "Open Files Based on Content, not file
>>extension" under IE, but that opens your host to *other*
>>vulnerabilites.)
>>
>>Username for the system above for a sample doc is:
>>testuser with password of password.
>>
>>Best,
>>Ken
>>
>>
>>
>>
>
>
>
>
>
>----- End forwarded message -----
>
>
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com