Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Security Bulletin and mailer formats

From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Thu, 21 Dec 2000 16:52:58 -0800
-----BEGIN PGP SIGNED MESSAGE-----

The Microsoft Security Response Center is in the process of revising
the Security Bulletin mailer format (attached at the end of this
e-mail) and the Security Bulletin format.  Reasons for the changes,
as well as samples of the new formats, are available from the
following URL:

http://www.microsoft.com/technet/security/bulletin/newlook.asp

Feedback on both the mailer format and the bulletin format should be
sent to secfdbck () microsoft com

Regards,

Secure () Microsoft com

- ----------------------------------------------
Below is text from above URL
- ----------------------------------------------

At the Microsoft Security Response Center, our goal is to provide
customers with complete, timely and  useful information to help them
keep their systems secure. We periodically reassess our publications 
and look for ways to improve them. We recently completed such a
reassessment, and have identified a  number of changes that we
believe will significantly improve the quality of the security
bulletins we  post on our web site, and the mailers that we use to
alert customers whenever a new bulletin is  released. 

We have several goals in making these changes: 

 - Make them useful to technical and non-technical readers alike. We
know that our readers have a  wide variety of technical expertise.
We've changed both the bulletin and mailer formats to let  readers
who aren't technical experts understand immediately what the issue
entails and what they  should do about it. We've also added a section
to the bulletin that speaks directly to technical  readers in the
language of a system administrator or IT professional. 

 - Provide additional information. In response to customer
suggestions, we've added several new  sections to the bulletin. For
instance, we've added sections that cross-reference to 
industry-standard vulnerability tracking databases, advise which
service packs the patches can be  installed on, and discuss the
availability of localized versions of the patches. 

 - Ensure that customers always have the latest information. Security
bulletins are rarely static  documents. Instead, we update them
frequently - for example, to clarify a point or add  newly-discovered
information about the vulnerability. It's vital that our customers
always have  up-to-date information, and as a result, we're changing
the roles of the bulletin and mailer. We plan  to provide the bulk of
the information via the bulletin, since we can update our web site at
a  moment's notice, and use the mailer as a means of alerting
customers whenever we release a new  bulletin or significantly change
an existing one. 

 - Eliminate redundancy and boilerplate. We've done our best to
streamline both the bulletins and the  mailers, and remove anything
that doesn't contribute to a clear, understandable discussion of the 
vulnerability. 

We've prepared a sample of the new bulletin format, using information
from a previously-released  bulletin. 

 - The original version of the bulletin is available at
   http://www.microsoft.com/technet/security/bulletin/MS00-080.asp 

 - The new version is available at
   http://www.microsoft.com/technet/security/bulletin/MS00-TEST.asp

 - We've also posted a sample of the new mailer format (below) and at
   http://www.microsoft.com/technet/security/bulletin/mailer.asp

The mailer format has been the subject of much debate on several
security mailing lists, and the  current format incorporates much of
the feedback we received from those discussions. 

We'd like to hear your thoughts about the new bulletin and mailer
formats. The best way to do this is  to send a note to
secfdbck () microsoft com. Because of the volume of mail, we can't reply
to the notes.  However, we do read every one, and we do our best to
implement the suggestions we receive. 


- ------Sample Bulletin Mailer Format----------------------------------

From: Microsoft Product Security 
Sent: Monday, October 23, 2000 2:49 PM
To: 'microsoft_security () announce microsoft com'
Subject: Microsoft Security Bulletin (MS00-080) 


- ------BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------
Title:      IIS 4.0 and 5.0 do not support secure Session ID 
                cookies from .asp pages
Date:       October 23, 2000
Software:   IIS 4.0 and 5.0
Impact:     Web session hijacking
Bulletin:   MS00-080

Microsoft encourages customers to review the Security Bulletin at:  
http://www.microsoft.com/technet/security/bulletin/MS00-TEST.asp.
- ---------------------------------------------------------------------

Issue:
======
IIS supports the use of a Session ID cookie to track the current
session identifier for a web session. However, .ASP in IIS does 
not support the creation of secure Session ID cookies as defined 
in RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt). As a result, 
secure and non-secure pages on the same web site use the same 
Session ID.  

If a user initiated a session with a secure web page, a Session ID
cookie would be generated and sent to the user, protected by SSL.  
But if the user subsequently visited a non-secure page on the same 
site, the same Session ID cookie would be exchanged, this time in 
plaintext. If an attacker had complete control over the 
communications channel, he could read the plaintext Session ID 
cookie and use it to connect to the user's session with the secure 
page. At that point, he could take any action on the secure page 
that the user could take.

Mitigating Factors:
====================
 - The attacker would need to have complete control over the
   target's communications with the web site. That is, he would 
   need the ability to monitor the target's communications and add 
   his own to the session. 
 - The attacker could not make the initial connection to the secure
   page - only the legitimate user could do that.  
 - The vulnerability is limited only to how Session ID cookies are
   handled in .ASP pages. Secure cookies already are supported for 
   all other types of cookies, under all other technologies in IIS.
    
Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the 
Security Bulletin MS00-080 for information on obtaining this patch.

Acknowledgment:
===============
 - ACROS Security (http://www.acros.si)   

- ----------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

- ------BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOjqfz40ZSRQxA/UrAQEqLwf9HLfISg3XYUIlXNzv9pjaV40Q67GEikyW
aST7jKjLhBWkvX1U1V+hS6rqiH2SbaPCxyqQ4U4ly49f6IqYzxTQznGwpoi6LhF6
Fxm+NnL2ErieoeU03AN3mHcZb0vexeVjDC1TO+6CKWg32lCTCcFEw95nkL/uI/uQ
1jUNFCVU6XZOcXjKDD9OQgzR3rxY8JSW11jLYxGMuh6VagZoLEv9/h/BEmdudhKg
fby5J+lVsC7fEQYdx91USdIVr5HTRI5mpVUibHxdptAy6smorIpDLZ02mxaVpWmC
wsd/kZRO7AZi8/xGYQwzRciKJRgBqFRje6K54WFMGUpJx9g1voHu2Q==
=9Ysh
- ------END PGP SIGNATURE-----
(note: PGP Signature relating to the sample bulletin is not valid
and is included for sample purposes only)


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOkKl6o0ZSRQxA/UrAQHVfQgAqfs8T2yaKVglJHaIPazHjsvgb1gJt7S5
vKnhKT5rgVB9PmO0m40P8fLb+40JbT5KawOc6/ZCXwENJHTUWiH5KV82hFFKmJAt
cr5l+c2ukl9AifK5SqmPVebjRSNj6rR/xcNNFy4bxP1EopyBCBO+gFsTJbRAYrh7
/pZC9go6bwMpNYGqS2uvYRDXuMouGmVQOXfo4yOX/+cRfTR1WiAsMPbfw8Bys6SF
/kTcCqocAHtEpOtX24wCZFEdL0+wZJadfTXsmaThz3LmigN3am3p5OVTJFmcTkmh
WvTnax8qLx8THadcQi7XxWXOmz0oGjbAYr7rQn/I1gM8mRN88XlwZg==
=QtIS
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: