Re: OpenVMS - When downtime is not an option

david20@xxxxxxxxxxxxxxxx wrote:
In article <39qdnSc41MVyvxHbnZ2dnUVZ_ompnZ2d@xxxxxxxxxxxxxxxxxxxxxxxx>, Bill Todd <billtodd@xxxxxxxxxxxxx> writes:
david20@xxxxxxxxxxxxxxxx wrote:
In article <h8SdnWZlQ7mWVRfbnZ2dnUVZ_vmqnZ2d@xxxxxxxxxxxxxxxxxxxxxxxx>, Bill Todd <billtodd@xxxxxxxxxxxxx> writes:
Main, Kerry wrote:

....

If the design and/or architecture of the OS platform allows an
application bug to provide access to protected data and/or provides
elevated rights on the system, does sit matter if it is an application
or kernel OS issue?
Clearly, that would be an OS bug (or at least a serious design flaw, if indeed it were intentional rather than inadvertent) - *if* it had been the case in this instance.

It was not: the bugs *only* affected Exchange Server. If Exchange Server was designed such that it had to execute in a privileged environment (such that once compromised itself it could compromise other parts of the system as you describe above), rather than designed modularly such that at most a few critical parts of it might require privilege (certainly not including the parsing functions that these bugs affected) and the rest could run unprivileged, that was an *Exchange Server* design flaw, not a Windows flaw.

What is this "IF" ?
As I'm starting to get tired of saying, *exactly* what it seems to be.

From http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx


"An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install
programs; view, change or delete data; or create new accounts with full user
rights"

Obviously this means that the codepath executed by the bug must run at a high
privilege level.
Obviously you're not very familiar with Microsoft's exposure descriptions.

Microsoft *always* uses this phrase (which if you read it more carefully says 'could', not 'can') whenever it *may* be possible that the execution environment is privileged, very frequently following it (as indeed it does in this case) with the clarification that what *really* happens is that the attacker gains the privilege of the applicable execution environment, whatever that privilege level may be.


Please quote the section in MS07-026 which provides the above clarification for the MIME Decoding Vulnerability since I cannot see it anywhere.

That's how I interpret its statement "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights" (i.e., I think the last four words distribute over all the elements in the preceding list - and note in any event that they talk about *user* rights rather than *administrator* rights).


Microsoft often does say that the exposure only gives the privilege that the
application is running under (For instance for the MS07-026 OWA Script injection vulnerability it says

"or take any action that the user could take within the context of the OWA
session."


However the more usual formulation is as in MS07-017 for the Windows animated
cursor remote execution vulnerability

"
an attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who operate
with administrative user rights
"

)

but I see nothing like that for the Mime decoding vulnerability.

See above (though the phrasing is fuzzy enough to admit to varying interpretation).

What I had in mind was the more common phrasing reflected in MS07-035, where it says "An attacker who successfully exploited this vulnerability could take complete control of an affected system" but then clarifies that as follows: "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."



Could is used here as the past simple of CAN (since the preceding phrase "An attacker who successfully exploited this vulnerability" is assumed to have
already happened by the subsequent phrase )

See

http://dictionary.cambridge.org/define.asp?key=17507&dict=CALD

In the example I provided immediately above (which uses nearly identical phrasing) 'could' is clearly used exactly as I described it.

- bill
.

Relevant Pages

  • Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
    ... or indirect control of a another entity  (i.e attacker). ... If a chrome tab can be crashed arbritarely it is a DoS attack ... they are defined strictly by the impact they have; if a bug ... You define vulnerability like a boolean that is true when the impact is of ...
    (Full-Disclosure)
  • Re: OpenVMS - When downtime is not an option
    ... application bug to provide access to protected data and/or provides ... elevated rights on the system, does sit matter if it is an application ... "An attacker who successfully exploited this vulnerability could take ...
    (comp.os.vms)
  • Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
    ... too nitpicky here). ... or indirect control of a another entity (i.e attacker). ... they are defined strictly by the impact they have; if a bug ... You define vulnerability like a boolean that is true when the impact is of ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
    ... I vulnerability could technically be ANYTHING of value to the attacker ... A bug that is usually ... In my book, maybe only in mine, a software bug is security relevant ...
    (Full-Disclosure)
  • Re: Question about FileDialog Permission
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... But now I know that there is a bug so I at least know that my ... >> you shouldn't be depending on FileDialogPermission to protect files, ... >> user-specified files when FileIOPermission is not granted.". ...
    (microsoft.public.dotnet.security)