Bugtraq mailing list archives
Microsoft Security Bulletin and mailer formats
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Thu, 21 Dec 2000 16:52:58 -0800
-----BEGIN PGP SIGNED MESSAGE----- The Microsoft Security Response Center is in the process of revising the Security Bulletin mailer format (attached at the end of this e-mail) and the Security Bulletin format. Reasons for the changes, as well as samples of the new formats, are available from the following URL: http://www.microsoft.com/technet/security/bulletin/newlook.asp Feedback on both the mailer format and the bulletin format should be sent to secfdbck () microsoft com Regards, Secure () Microsoft com - ---------------------------------------------- Below is text from above URL - ---------------------------------------------- At the Microsoft Security Response Center, our goal is to provide customers with complete, timely and useful information to help them keep their systems secure. We periodically reassess our publications and look for ways to improve them. We recently completed such a reassessment, and have identified a number of changes that we believe will significantly improve the quality of the security bulletins we post on our web site, and the mailers that we use to alert customers whenever a new bulletin is released. We have several goals in making these changes: - Make them useful to technical and non-technical readers alike. We know that our readers have a wide variety of technical expertise. We've changed both the bulletin and mailer formats to let readers who aren't technical experts understand immediately what the issue entails and what they should do about it. We've also added a section to the bulletin that speaks directly to technical readers in the language of a system administrator or IT professional. - Provide additional information. In response to customer suggestions, we've added several new sections to the bulletin. For instance, we've added sections that cross-reference to industry-standard vulnerability tracking databases, advise which service packs the patches can be installed on, and discuss the availability of localized versions of the patches. - Ensure that customers always have the latest information. Security bulletins are rarely static documents. Instead, we update them frequently - for example, to clarify a point or add newly-discovered information about the vulnerability. It's vital that our customers always have up-to-date information, and as a result, we're changing the roles of the bulletin and mailer. We plan to provide the bulk of the information via the bulletin, since we can update our web site at a moment's notice, and use the mailer as a means of alerting customers whenever we release a new bulletin or significantly change an existing one. - Eliminate redundancy and boilerplate. We've done our best to streamline both the bulletins and the mailers, and remove anything that doesn't contribute to a clear, understandable discussion of the vulnerability. We've prepared a sample of the new bulletin format, using information from a previously-released bulletin. - The original version of the bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS00-080.asp - The new version is available at http://www.microsoft.com/technet/security/bulletin/MS00-TEST.asp - We've also posted a sample of the new mailer format (below) and at http://www.microsoft.com/technet/security/bulletin/mailer.asp The mailer format has been the subject of much debate on several security mailing lists, and the current format incorporates much of the feedback we received from those discussions. We'd like to hear your thoughts about the new bulletin and mailer formats. The best way to do this is to send a note to secfdbck () microsoft com. Because of the volume of mail, we can't reply to the notes. However, we do read every one, and we do our best to implement the suggestions we receive. - ------Sample Bulletin Mailer Format---------------------------------- From: Microsoft Product Security Sent: Monday, October 23, 2000 2:49 PM To: 'microsoft_security () announce microsoft com' Subject: Microsoft Security Bulletin (MS00-080) - ------BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------- Title: IIS 4.0 and 5.0 do not support secure Session ID cookies from .asp pages Date: October 23, 2000 Software: IIS 4.0 and 5.0 Impact: Web session hijacking Bulletin: MS00-080 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS00-TEST.asp. - --------------------------------------------------------------------- Issue: ====== IIS supports the use of a Session ID cookie to track the current session identifier for a web session. However, .ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt). As a result, secure and non-secure pages on the same web site use the same Session ID. If a user initiated a session with a secure web page, a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. If an attacker had complete control over the communications channel, he could read the plaintext Session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take. Mitigating Factors: ==================== - The attacker would need to have complete control over the target's communications with the web site. That is, he would need the ability to monitor the target's communications and add his own to the session. - The attacker could not make the initial connection to the secure page - only the legitimate user could do that. - The vulnerability is limited only to how Session ID cookies are handled in .ASP pages. Secure cookies already are supported for all other types of cookies, under all other technologies in IIS. Patch Availability: =================== A patch is available to fix this vulnerability. Please read the Security Bulletin MS00-080 for information on obtaining this patch. Acknowledgment: =============== - ACROS Security (http://www.acros.si) - ---------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - ------BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOjqfz40ZSRQxA/UrAQEqLwf9HLfISg3XYUIlXNzv9pjaV40Q67GEikyW aST7jKjLhBWkvX1U1V+hS6rqiH2SbaPCxyqQ4U4ly49f6IqYzxTQznGwpoi6LhF6 Fxm+NnL2ErieoeU03AN3mHcZb0vexeVjDC1TO+6CKWg32lCTCcFEw95nkL/uI/uQ 1jUNFCVU6XZOcXjKDD9OQgzR3rxY8JSW11jLYxGMuh6VagZoLEv9/h/BEmdudhKg fby5J+lVsC7fEQYdx91USdIVr5HTRI5mpVUibHxdptAy6smorIpDLZ02mxaVpWmC wsd/kZRO7AZi8/xGYQwzRciKJRgBqFRje6K54WFMGUpJx9g1voHu2Q== =9Ysh - ------END PGP SIGNATURE----- (note: PGP Signature relating to the sample bulletin is not valid and is included for sample purposes only) -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOkKl6o0ZSRQxA/UrAQHVfQgAqfs8T2yaKVglJHaIPazHjsvgb1gJt7S5 vKnhKT5rgVB9PmO0m40P8fLb+40JbT5KawOc6/ZCXwENJHTUWiH5KV82hFFKmJAt cr5l+c2ukl9AifK5SqmPVebjRSNj6rR/xcNNFy4bxP1EopyBCBO+gFsTJbRAYrh7 /pZC9go6bwMpNYGqS2uvYRDXuMouGmVQOXfo4yOX/+cRfTR1WiAsMPbfw8Bys6SF /kTcCqocAHtEpOtX24wCZFEdL0+wZJadfTXsmaThz3LmigN3am3p5OVTJFmcTkmh WvTnax8qLx8THadcQi7XxWXOmz0oGjbAYr7rQn/I1gM8mRN88XlwZg== =QtIS -----END PGP SIGNATURE-----
Current thread:
- Microsoft Security Bulletin and mailer formats Microsoft Security Response Center (Dec 22)