[35573] in bugtraq
Re: Microsoft technologies. By default, non-HIPAA compliant?
daemon@ATHENA.MIT.EDU (Nicholas Weaver)
Fri Jul 2 20:17:53 2004
Date: Thu, 1 Jul 2004 09:46:50 -0700
From: Nicholas Weaver <nweaver@CS.berkeley.edu>
To: Jeremy Epstein <jeremy.epstein@webmethods.com>
Cc: Anything But Microsoft <abm@anythingbutmicrosoft.org>,
"<@securityfocus.com BUGTRAQ" <BUGTRAQ@securityfocus.com>
Message-ID: <20040701094650.A8541@ring.CS.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5B10E50E14A4594EB1B5566B69AD94070620A3DF@maileast>; from jeremy.epstein@webmethods.com on Wed, Jun 30, 2004 at 01:43:11PM -0400
On Wed, Jun 30, 2004 at 01:43:11PM -0400, Jeremy Epstein composed:
> A slightly less draconian configuration might have a filtering router that
> only allows users to visit particular sites; in that case also, the IE
> problems would be of no concern (since the redirect to the Russian and
> Estonian sites could be prevented).
This would not be the case, as the trojaned sites could easily present
the malware directly, rather than contacting a third party site. That
it didn't is simply a sign that the attacker was less clever and
creative than he could have been. Thus all sites which can be
contacted need to be "trusted".
> The latest set of attacks demonstrate some pretty bad problems, and
> Microsoft deserves a lot of criticism. But let's not go overboard.
A better criticism is that, yeah, QA is important, but this is a known
critical exploit for over a WEEK now and there is no patch in sight.
That the crisis hasn't bloomed further with the simple hack:
Make the malcode modify any .html it can find, and include itself on
that site for download, combined with the continual attacks on IIS
sites, banner servers, etc...
is a mystery to me.
--
Nicholas C. Weaver nweaver@cs.berkeley.edu
