RE: XWT Foundation Advisory

["Microsoft Security Response Center" <secure () microsoft com>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi All -

We'd like to set the record straight as regards the advisory
published today by the XWT Foundation.  Microsoft thoroughly
investigated the issue described in the advisory, and discussed our
findings in detail with the advisory's author.  When the XWT
Foundation solicited a response from Microsoft to include in the
advisory, we prepared one that accurately reports the risk the issue
poses and the solution we developed.  It's a pity the XWT Foundation
chose not to honor its promise to include our response.  For the
record, this is the vendor response we provided:

=====================================================================
Microsoft has investigated the issue discussed in the report, and
agrees that the issue is bona fide from a technical standpoint. 
However, because of the difficulties associated with exploiting it
(discussed below), Microsoft believes it is most appropriate to
address the issue via a service pack.  Accordingly, a fix has been
included in IE 6 Service Pack 1, which is due to be released shortly.

Among the barriers that an attacker would face in attempting to
exploit the vulnerability are the following:
* It could only be exploited if the user clicked a link within an
email - it could not be exploited without user interaction.
* It would require that the attacker host a DNS server, a fact that
would be traceable. 
* The attacker would need detailed information about the internals of
the user's network, such as intranet server names.
* If the intranet site were an HTTPS: site, a dialog would warn the
user that the name on the site's certificate did not match the domain
name.
* If the intranet site used cookie-based authentication, the attack
would fail because the attacker's site would be unable to
authenticate on behalf of the user
* The attack would not work against web servers configured to support
multiple host headers, with the exception of any content served up at
the "default" site.
======================================================================
=

Microsoft stands by its assessment of the issue.  Regards,

Microsoft Security Response Center


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPUXCqo0ZSRQxA/UrAQEztAf/Y3qYCwMDTBSqZR0UrXTj4kA3m6bGWa2l
6LlGtHdKlwtSxWvwdXjsapSbfdQhMthV2+onjWi2lGDS6eqzvKbqf2kzVBBf6mU7
p8KxvgcpWGz3LLqQ1YtmLM7SuGgHayUq5ny6AlTMoYI0ZUMD8R9rVyRSM+CTMkQx
irskV/2HbqmrA4K1BdTV59t6n96lA955KaQMfKChxjk/YmQuBb/77DO+UABEWpdE
N3Sq2OgZOZxElLdBP3Yq/+sei6ixxH3g0UoAH+nOTTvYZDaizMWOPDnhVcwyx6mC
R0lXp70xSB8OvUo89e27eLXz/FYmNBpv54b5gKGJ6HTzxl0YjjeolQ==
=Uzha
-----END PGP SIGNATURE-----