Re: Microsoft technologies. By default, non-HIPAA compliant?

To: Jeremy Epstein <jeremy.epstein@xxxxxxxxxxxxxx>
Subject: Re: Microsoft technologies. By default, non-HIPAA compliant?
From: Nicholas Weaver <nweaver@xxxxxxxxxxxxxxx>
Date: Thu, 1 Jul 2004 09:46:50 -0700
Cc: Anything But Microsoft <abm@xxxxxxxxxxxxxxxxxxxxxxxx>, "<@securityfocus.com BUGTRAQ" <BUGTRAQ@xxxxxxxxxxxxxxxxx>
In-reply-to: <5B10E50E14A4594EB1B5566B69AD94070620A3DF@maileast>; from jeremy.epstein@xxxxxxxxxxxxxx on Wed, Jun 30, 2004 at 01:43:11PM -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <5B10E50E14A4594EB1B5566B69AD94070620A3DF@maileast>
User-agent: Mutt/1.2.5.1i

On Wed, Jun 30, 2004 at 01:43:11PM -0400, Jeremy Epstein composed:
> A slightly less draconian configuration might have a filtering router that
> only allows users to visit particular sites; in that case also, the IE
> problems would be of no concern (since the redirect to the Russian and
> Estonian sites could be prevented).

This would not be the case, as the trojaned sites could easily present
the malware directly, rather than contacting a third party site.  That
it didn't is simply a sign that the attacker was less clever and
creative than he could have been.  Thus all sites which can be
contacted need to be "trusted".

> The latest set of attacks demonstrate some pretty bad problems, and
> Microsoft deserves a lot of criticism.  But let's not go overboard.

A better criticism is that, yeah, QA is important, but this is a known
critical exploit for over a WEEK now and there is no patch in sight.

That the crisis hasn't bloomed further with the simple hack:

Make the malcode modify any .html it can find, and include itself on
that site for download, combined with the continual attacks on IIS
sites, banner servers, etc...

is a mystery to me.

-- 
Nicholas C. Weaver                                 nweaver@xxxxxxxxxxxxxxx

References:
- RE: Microsoft technologies. By default, non-HIPAA compliant?
  - From: Jeremy Epstein

Prev by Date: MD5 hash cracking service
Next by Date: [ GLSA 200407-01 ] Esearch: Insecure temp file handling
Previous by thread: RE: Microsoft technologies. By default, non-HIPAA compliant?
Next by thread: Microsoft technologies. By default, non-HIPAA compliant?
Index(es):
- Date
- Thread