Internet Security Update

Gregory Alan Bolcer gbolcer@endeavors.com
Sun, 10 Mar 2002 08:28:18 -0800


I'm still getting used the idea that Microsoft is
sending out non-signed .exe files in direct mailings
to customers for security fixes--particularly after the
Verisign debacle last year when they issued a root
certificate for someone pretending to be Microsoft. 

Isn't there a better way to do this? 

Greg

Microsoft Corporation Security Center wrote:
> 
> Microsoft Customer,
> 
>      this is the latest version of security update, the
> "6 Mar 2002 Cumulative Patch" update which eliminates all
> known security vulnerabilities affecting Internet Explorer and
> MS Outlook/Express as well as six new vulnerabilities, and is
> discussed in Microsoft Security Bulletin MS02-005. Install now to
> protect your computer from these vulnerabilities, the most serious of which
> could allow an attacker to run code on your computer.
> 
> Description of several well-know vulnerabilities:
> 
> - "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
> If a malicious user sends an affected HTML e-mail or hosts an affected
> e-mail on a Web site, and a user opens the e-mail or visits the Web site,
> Internet Explorer automatically runs the executable on the user's computer.
> 
> - A vulnerability that could allow an unauthorized user to learn the location
> of cached content on your computer. This could enable the unauthorized
> user to launch compiled HTML Help (.chm) files that contain shortcuts to
> executables, thereby enabling the unauthorized user to run the executables
> on your computer.
> 
> - A new variant of the "Frame Domain Verification" vulnerability could enable a
> malicious Web site operator to open two browser windows, one in the Web site's
> domain and the other on your local file system, and to pass information from
> your computer to the Web site.
> 
> - CLSID extension vulnerability. Attachments which end with a CLSID file extension
> do not show the actual full extension of the file when saved and viewed with
> Windows Explorer. This allows dangerous file types to look as though they are simple,
> harmless files - such as JPG or WAV files - that do not need to be blocked.
> 
> System requirements:
> Versions of Windows no earlier than Windows 95.
> 
> This update applies to:
> Versions of Internet Explorer no earlier than 4.01
> Versions of MS Outlook no earlier than 8.00
> Versions of MS Outlook Express no earlier than 4.01
> 
> How to install
> Run attached file q216309.exe
> 
> How to use
> You don't need to do anything after installing this item.
> 
> For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
> http://www.microsoft.com/windows/ie/downloads/critical/default.asp
> If you have some questions about this article contact us at rdquest12@microsoft.com
> 
> Thank you for using Microsoft products.
> 
> With friendly greetings,
> MS Internet Security Center.
> ----------------------------------------
> ----------------------------------------
> Microsoft is registered trademark of Microsoft Corporation.
> Windows and Outlook are trademarks of Microsoft Corporation.
> 
>   --------------------------------------------------------------------------------------------------------------
>                   Name: q216309.exe
>    q216309.exe    Type: unspecified type (application/octet-stream)
>               Encoding: base64