Re: [tlug] FireFox Update (1.5.0.5)

["Lyle H Saxon" <llletters@example.com>]

On 7/30/06, Josh Glover <jmglov@example.com> wrote:
> On 29/07/06, Lyle H Saxon <llletters@example.com> wrote:
>
> > I wasn't going to go into this, but since you request more details,
> > here they are.  Being from the PR industry, this warning from CERT
> > positively reeks of attack PR.  I guess they've been damaged by...
> > some corrupting force - use your imagination as to what it might be.
> > Notice how many times they hammer in phrases like:
> >
> > "Mozilla products fail to....",
> >
> > "Mozilla products are vulnerable to....",
> >
> > "Mozilla products contain multiple vulnerabilities...."
>
> CERT advisories always look like this, AFAIK. Remember, CERT was one
> of the groups that advised people stop using IE because of its many
> security holes.

How long have you been reading them?  The difference is in degree.
They were really *shitsukoi* in that last one!  Have a look at one
from March of 2004 (below).  Also note that in the March 2004 one, it
is signed off as:

"Carnegie Mellon University", and now it's:

"US-CERT, a government organization"

The drift to attack PR seems to have coincided with the departure of
the Carnegie Mellon University name, which was something people
respected.  The new version is - apparently - not something to respect
or trust.

> I doubt there is anything sinister going on here, but it is funny that
> someone else (Shannon?) mentioned yesterday at the meeting that the
> media have been beating up on Firefox / Mozilla / Thunderbird
> recently, and he suspects Microsoft influence.
>
> I responded that I was not that cynical, but allowed that there was a
> good chance that he might be right. So might you. I just hope not.

I'm not happy about it, and I wish it weren't the case, but the
content has gone foul, so I'm afraid he was right.  Anyway, have a
look at the March 2004 one as a comparison to the new attack-PR one.

[From March 2004]:

Microsoft Outlook mailto URL Handling Vulnerability

  Original issue date: March 10, 2004
  Last revised: --
  Source: US-CERT

Systems Affected

    * Microsoft Office XP (up to Service Pack 2)
    * Microsoft Outlook 2002 (up to Service Pack 2)

Overview

  A vulnerability in the way that Microsoft Outlook 2002 handles a
  certain type of URL could allow a remote attacker to execute arbitrary
  code on the vulnerable system.

I. Description

  Microsoft Outlook provides a centralized application for managing and
  organizing email messages, schedules, tasks, notes, contacts, and
  other information. Outlook is included as a component of newer
  versions of Microsoft Office and available as a stand-alone product.

  Outlook 2002 exposes a vulnerability due to inadequate checking of
  parameters passed to the Outlook email client. The vulnerability is
  caused by the way a "mailto:"; URL is interpreted. An attacker creating
  specially formatted "mailto:"; URLs can cause Outlook to run privileged
  script, ultimately leading to the execution of arbitrary code. The
  malicious code could be delivered to the victim via a specially
  crafted HTML email message or from an intruder-controlled web page.

  Microsoft originally stated that users were only at risk from this
  vulnerability when Outlook 2002 is configured as the default mail
  reader and when the "Outlook Today" home page is their default folder
  home page. Subsequent information has been published that indicates
  that this is not true and users in other situations are vulnerable via
  a slightly different attack vector.

II. Impact

  An attacker could execute arbitrary code of their choosing on the
  system running the vulnerable version of Outlook. Upon successful
  exploitation, the malicious code would be executed in the context of
  the "Local Machine" Internet Explorer zone under the user running
  Outlook.

III. Solution

Apply a patch

  Apply the appropriate patch as specified by Microsoft Security
  Bulletin MS04-009.

Workarounds

  Microsoft recommends the following workarounds for users who are
  unable to apply the patches:

    * Do not use the "Outlook Today" folder home page in Outlook 2002
      You can help protect against this vulnerability by turning off the
      "Outlook today" folder home page in Outlook 2002.

        1. In the "Folder List" window of Outlook, right-click on
           "Outlook Today" or "Mailbox - [User Name]"

        2. Select Properties for "Outlook Today" or "Mailbox - [User
           Name]"

        3. Select "Home Page" tab

        4. Uncheck "Show home page by default for this folder"

        5. Repeat for all other "Folder List" items labeled "Outlook
           Today" or "Mailbox - [User Name]"

      Impact of Workaround: The "Outlook Today" folder home page would
      no longer be available.

    * If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later,
      read email messages in plain text format to help protect yourself
      from the HTML email attack vector

      Microsoft Outlook 2002 users who have applied Service Pack 1 or
      later and Outlook Express 6.0 users who have applied Service Pack
      1 or later can enable a feature that will enable them to view all
      non-digitally-signed email messages or non-encrypted email
      messages in plain text only. Digitally-signed email messages and
      encrypted email messages are not affected by the setting and may
      be read in their original formats.

      Instructions for enabling these settings can be found at the
      following locations:

         + Outlook 2002 - Microsoft Knowledge Base Article 307594

         + Outlook Express 6.0 - Microsoft Knowledge Base Article 291387

      Impact of Workaround: Email that is viewed in plain text format
      cannot contain pictures, specialized fonts, animations, or other
      rich content. Additionally:

         + The changes are applied to the preview pane and to open
           messages.

         + Pictures become attachments to avoid loss of message content.

         + The object model (custom code solutions) may behave
           unexpectedly because the message is still in Rich Text Format
           or in HTML format in the mail store.

Appendix A. Vendor Information

  This appendix contains information provided by vendors. When vendors
  report new information, this section is updated and the changes are
  noted in the revision history. If a vendor is not listed below, we
  have not received their comments.

Microsoft

    Please see Microsoft Security Bulletin MS04-009.

Appendix B. References

    * US-CERT Vulnerability Note VU#305206 -
      <http://www.kb.cert.org/vuls/id/305206>
    * iDEFENSE Security Advisory 03.09.04 -
      <http://www.idefense.com/application/poi/display?id=79&type=vulner
      abilities>
    * IETF RFC2368, "The mailto URL scheme" -
      <http://www.ietf.org/rfc/rfc2368.txt>
    * Microsoft Security Bulletin MS04-009 -
      <http://microsoft.com/technet/security/bulletin/MS04-009.aspx>
    * Microsoft Knowledge Base Article 307594 -
      <http://support.microsoft.com/default.aspx?kbid=307594>
    * Microsoft Knowledge Base Article 291387 -
      <http://support.microsoft.com/default.aspx?kbid=291387>
    _________________________________________________________________

  This issue was jointly reported publicly by Microsoft Security and
  iDefense. They, in turn, credit Juoko Pyonen with the discovery and
  research of this vulnerability. Information from iDefense and
  Microsoft was used in this document.
_________________________________________________________________

2004 Carnegie Mellon University.


See how matter-of-fact it was in 2004?  No hysterics and no
sledgehammer tactics.  The free press, R.I.P.?  I hope not, but it's
probably high time to begin reading between the lines my friends!

Lyle