funsec mailing list archives
MS06-015 Quietly Patching Publicly-Reported Vulnerabilities
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Tue, 11 Apr 2006 19:55:42 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Amidst the dozen-or-so vulnerabilities patched by Microsoft's security bulletins today, something about one of them stood out to me: "This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios." The "drag and drop scenarios" wording seems eerily similar to that of my earlier public report on February 13th about drag-and-drop issues in the browser. If nothing else, the timing is very curious. Microsoft does not note what (if any) CVEs are of relevance to this "defense in depth" change. More interesting is that it's not an IE patch, but a shell fix, that is involved in this case. The reason that's interesting is because I was specifically informed by MSRC that the vulnerability would be fixed as part of a shell defense-in-depth change. It looks, based purely on the information in the bulletin and no testing of my own, that MS may have attempted to quietly patch CVE-2005-3240 -- the drag-and-drop issue I reported. Such a semi-documented fix wouldn't be the only one in MS06-015. The FAQ section of the "Windows Shell Vulnerability" item also notes: "The update for this vulnerability also addresses a publicly disclosed variation that has been assigned Common Vulnerability and Exposure number CVE-2004-2289." Props to Steve Christie for spotting that. Draw your own conclusions on this, but it looks to me that Microsoft is attempting to quietly patch publicly reported vulnerabilities where the company took its sweet time to issue fixes. At the very least, the way the information was published in MS06-015 is extremely misleading to Microsoft customers who have been lead to believe that the patch is designed to close one specific, privately-reported, previously-unknown vulnerability. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFEPFAOfp4vUrVETTgRAw5lAKCHg3oIrtpi/rSgZaR7G+2aMTj8WACghpMJ 5QpjTyaoTJUFbnfHuFqD0LI= =Wv9w -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- MS06-015 Quietly Patching Publicly-Reported Vulnerabilities Matthew Murphy (Apr 11)