[19994] in bugtraq
Re: Microsoft Security Bulletin MS01-020
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Apr 2 12:41:29 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <tgbsqfzcrb.fsf@mercury.rus.uni-stuttgart.de>
Date: Mon, 2 Apr 2001 14:50:48 +0200
Reply-To: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
From: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C10F7F33B880B248BCC47DB446738847445E97@red-msg-07.redmond.corp.microsoft.com>
Microsoft Product Security <secnotif@MICROSOFT.COM> writes:
> Title: Incorrect MIME Header Can Cause IE to Execute E-mail
> Attachment
I think the title of the advisory is not appropriate, although it's
correct, technically speaking. It's certainly confusing many people
who're assuming that the problem is related only to HTML e-mail
messages viewed by Internet Explorer, for example, inside Outlook.
These people think there's no need to upgrade because they are using
safe e-mail clients.
Microsoft's advisory does describe the real dangers in the body of the
advisory, but apparently, only few people have read thus far. For
example, German mainstream media are picking up the theme, but only
stress the e-mail aspect of it.
I'm not sure if there's a general lesson to learn, but it seems that
nowadays, many people try to read security advisories, even those who
are not familiar with the architecture of the flawed system. So extra
care is necessary to avoid descriptions which appear ambiguous to the
non-technical reader (or a reader not familiar with the particular
platform).
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
