From: redteam@all.net
Reply-to: redteam@all.net
Organization: Red Team Mailing List
Subject: RedTeam Mailing List 1998-10-26
<pre>---------------------------------------------
[Thought this might interest some - FC]

From: anonymous
Subject: MS, Firewalls and NT security.
Date: Sun, 25 Oct 1998 17:48:49 -0800

I haven't been able to get to comp.risks because it was censored by Win98 as
a valid usnet group...  I just told Peter to ad me to the list again.  I
decided to go through the archives.  This issue with the firewall is very
interesting.  I was wondering why with maximum security I was able to access
these Channel sites that came with Win98 such as the WB site that runs a
very complex VBScript and one of the other ones that was running a Java
script like you said.  They must have them listed somewhere in their system
as you pointed out. I read your "How to bypass those pesky firewalls"
today.  I went to the site http://umweb2.unitedmedia.com/  and it didn't
flag the JAVA at all.  Now I'm wondering if Microosft has done something to
remove my security options.

As for the guy named Ed Curry. I read an article at
http://www.zdnet.com/windows/wpro/9810/security_lockdown_dod.html
NT Systems May Not Be Locked
by Mary Jo Foley, Sm@rt Reseller
Ed Curry is a man on a mission. Curry says he is out to warn the government
that Windows NT is not secure, and will soon meet with the Secretary of
Defense staff. Microsoft Corp. says he is on a personal vendetta against the
company.

They have always said the same thing about me too.  They defamed me so bad
that I was under investigation for breaking into the Federal Building at one
time. It turned out to be all made up because they knew who I was.  I also
found out that my FBI kept record was modified too. They went after my
medical records, credit cards and even my kids.   The GSA Policeman was
pretty shaken by the whole mess.  There are people in Microsoft that don't
even consider what they are doing.  I had thousands taken against my credit
cards and the insurance refused to pay.  Some of the charges were to bogus
companies too.  I could get any information from the credit card people.

Curry had a meeting about the NT security issue with the top of the DOD on
Oct. 14th.  I've been through the same kind of thing that he is taking
about.  I'm desperate to find his e-mail address and his contacts so he can
pass what I'm sending to you on.

I've been testing  Win98 for weeks.  I'm retired complements of
Microsoft--they assaulted me on the job and I ended up with a handicap due
to a spinal injury. Then they black balled me because they didn't like the
fact that I said bad things about them--this is because I reported what they
did to me to Gates injury for attempting to report bugs. This is why I don't
post to risk list. You go to the FBI and they do nothing. I've not seen my
children in three years because of these crazy people.  One guy had a drive
by shooting at his house.  Another guy was shot coming out of Midnight Mass
on Christmas many years ago.  When they went after me, I started hearing all
kinds of horror stories.  One guy recently told me he was almost fried from
the company when they found him documenting what we now know is the
undocumented code in  about Win 98 development about certain header files
they didn't want documented. So we DO have a lot of undocumented code in Win
98! I usually pass things on to people who may be interested in the subject.

I've had 4 web sites censored after their attorneys threatened my ISP. My
last two sites had the Desk Top 4 military contract on it and a lot about
security or the lack of it. It was all on Zenith machines so don't think the
Government uses the best.  The government goes with the lowest bidder, not
the best!  This is how NT took out the Novell servers it was cheaper.

If you've been involved with Microsoft the way I have, you develop a six
sense about them.  Win98's  file structure design is a major issue.  I was
testing Outlook Express with background sounds and wanted to see how they
were sending them.  I couldn't find the folders...  So I did a search in DOS
and found them in a sub directory of the Windows Dir.--the  worse place to
have them.  So I attempted to move my folder.  NO can do...  (Perhaps it's
possible during setup.)  It makes no sense to have them there.  There are
all kinds of routines that can be run that go into the Windows directory.
If you know how to access the API in windows and make calls to their DLLs
you can really do just about whatever you want. So I reported it to Gates.
In about a week they had a patch for one of the VBScripts calls but it's not
enough. I know there is other stuff out there that can be done.  My very
first concern with VBScript is the ability to write your own object controls
that access the DLLs.  Patching one control doesn't prevent someone from
writing another.:-)

I'm constantly getting popped onto MSN or Microsoft.com for technical
support. Because I'm a person of interest I was not allowing cookies and was
trying to keep my identification concealed.  On one occassion some smart guy
grabbed part of my licensing information from my computer and posted it in a
page as a greeting!  I am not the right person to greet.  So I copied that
and reported it to Gates also! In the patch it said that only a hostile site
can cause a problem with file access.  Microsoft has both the motivation and
arrogance to spy on just about anyone. It's the kind of thing you hear
people brag about inside the company in the lunch rooms. :-)

I'm 47 and know what they do over there.  I once jokingly wrote to Gates and
said that if they were going to do illegal things they shouldn't brag about
it openly! The security at Microsoft is really bad so it's not unusual for a
contractor to walk out the door with header files to the undocumented code
in Windows. I know it's out there. And given the way Microsoft treats their
contractor, I'm sure that some are using it to get back at them.:-)  They
are in a constant state of terror because of all the hacking that goes
on.:-)

I was working with Microsoft military and government OEMs as a systems
engineer.  The licensing number on their products can identify the OEM
contract and that means that they know if someone is the military or working
in the government.  So if you log onto Microsoft's site, they grab your
license and notice you are of interest.  Then they can also go and grab your
e-mail very quickly because they know the path.  I was pretty sure that some
of the leaks from DC were coming from such back door operations. I wonder if
these folks would be so happy if they found out that Microsoft had the
ability to read their e-mail?

I asked one of my engineer friends who quite MS as a multimillionaire how
come Microsoft could fix these security problems and other bugs so fast.  He
said they most likely had the code just sitting there for the fix and
someone was told not to fix it by management.  Go figure.  He said that a
lot of the engineers are upset about this kind of thing.  According to him
they have all kinds of tricky stuff and some of them use it in-house to spy.
A lot of the contractor say the same thing. A few years ago someone sent
e-mail in Gates' name on April Fools giving everyone the day off just to let
him know he wasn't in charge anymore.  The pie he was hit with was done by
his own people in sales.

Any one who has posted a negative about MS on the Internet should really
watch what their e-mail is doing when they go to MS's site or some of these
site run by their agents or contractors.

NT was the only server the military was allowed to buy in the Desk Top 4
contract in 1994.  It was so bad that one of the government sales reps at
DEC told me that NASA put together a contract for Novell Servers and the
military was then allowed to buy of it because the security issue was so bad
in NT. What bothers me is that their security is still bad.   I warned Gates
that if he didn't fix the security in NT and Windows he would loose his
contracts.  I've heard that is just about what is going to happen.  Neumann
wants me to write a book.:-)

Microsoft make about 40% of their profits from the government contracts.
They use to make joke about ripping off the OEMs so bad.  The OEM contracts
require that the OEM make any manuals and provide developer support.  They
even have to sell the contracts.  In my license it said that I had three
months of free support from them.  But when I called I was refused support
and told to call HP.  Tantum and others are knocking at the governments
door. They hate me at Microsoft because Gates always checks out anything I
write to him about because I'm a women and he had a thing for me once. More
like an obsession.  From what I can tell here locally, Ballmer is stalling
NT and Gates is digging through code again... I think this is really funny.
And we now have a local union enrolling Microsoft's. So they have some real
interesting things happening.

I copied this because I figured it would disappear quickly from their web
and it did. So I'm trying to get it distributed.  Show this to your bosses
and explain the e-mail issue.  You may want to consider a different e-mail
package.

Here the description of the post:

Microsoft Security Bulletin (MS98-015)
----------------------------------------------------------------------------

Update available for "Untrusted Scripted Paste" Issue in Microsoft Internet
Explorer 4.01

Originally Posted: October 16, 1998
Last Revised: October 16, 1998

Summary
Microsoft has released a patch that fixes a vulnerability involving scripted
pastes that has been discovered with Internet Explorer 4.01 on Win32 and
Win16 platforms. The vulnerability could make it possible for a malicious
hacker to create a web site that, when visited, is able to use script to
read a file on the user's system. The file must be in a location known to
the malicious hacker. This has also been referred to as the "Cuartango"
vulnerability.

Microsoft highly recommends that users that have affected software installed
on their systems should download and install the available patch as soon as
possible.

Issue
The "Untrusted Scripted Paste" issue involves a vulnerability in Internet
Explorer that could allow a malicious hacker to circumvent certain Internet
Explorer security safeguards. This vulnerability makes it possible for a
malicious Web site operator to read the contents of a file on the user's
computer if the hacker knows the exact name and path of the targeted file.
This could also be used to view the contents of a file on the user's network
to which the user has access, and whose direct path name is known by the
attacker.

The nature of this problem is that a script is able to use the
Document.ExecCommand function to paste a filename into the file upload
intrinsic control, which should only be possible by explicit user action. As
a result, a subsequent form submission could send the file to a remote web
site unbeknownst to the user if the user has disabled the default warning
that is displayed when submitting unencrypted forms (see "Administrative
Workaround" below for information on re-enabling this functionality).

While there have not been any reports of customers being adversely affected
by these problems, Microsoft is releasing a patch to address any risks posed
by this issue.

Affected Software Versions

Microsoft Internet Explorer 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95
Microsoft Windows 98, with integrated Internet Explorer
Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51
This vulnerability could also affect software that uses HTML functionality
provided by Internet Explorer, even if Internet Explorer is not used as your
default browser. All customers that have affected versions of Internet
Explorer on their systems should install this patch, whether or not they use
Internet Explorer for web browsing.

This vulnerability does not affect Internet Explorer 3.x or 4.0 on any
platform.
This does not affect any Macintosh or UNIX versions of Internet Explorer.

What Microsoft is Doing
On October 16th Microsoft released a patch that fixes the problem
identified. This patch is available for download from the sites listed
below.

Microsoft has sent this security bulletin to customers subscribing to the
Microsoft Product Security Notification Service (see
http://www.microsoft.com/security/bulletin.htm for more information about
this free customer service).

Microsoft has published the following Knowledge Base (KB) articles on this
issue:

Microsoft Knowledge Base (KB) article Q169245, Update available for
"Untrusted Scripted Paste" Issue
http://support.microsoft.com/support/kb/articles/q169/2/45.asp
(Note: It might take 24 hours from the original posting of this bulletin for
the KB article to be visible in the Web-based Knowledge Base.)
What customers should do
Microsoft highly recommends that users that have affected software installed
on their systems should download and install the available patch as soon as
possible. Complete URLs for each affected software version is given below.

Windows 98
Windows 98 customers can obtain the patch using Windows Update. To obtain
this patch using Windows Update, launch Windows Update from the Windows
Start Menu and click "Product Updates." When prompted, select 'Yes' to allow
Windows Update to determine whether this patch and other updates are needed
by your computer. If your computer does need this patch, you will find it
listed under the "Critical Updates" section of the page.

Internet Explorer 4.01
Customers using Internet Explorer 4.01 can obtain the patch from the
Internet Explorer Security web site,
http://www.microsoft.com/ie/security/paste.htm

Administrative workaround
Microsoft strongly encourages customers to apply the patch. However, there
are additional actions that can be taken to ensure safe computing:

If the user has disabled the default warning that is displayed when
submitting unencrypted forms, re-enabling this feature can provide
additional protection. This warning prompt makes sure users are aware if a
script attempts to submit data using forms. Users should be cautious if they
see this warning when browsing and have not actually chosen to submit any
data.

To turn on this prompt:

>From Internet Explorer, choose "Internet Options" form the "View" menu.
Click on the tab labeled "Security".
Click on "Internet Zone", then click "Customize Settings".
Scroll to "Submit non-encrypted form data" and click on "Prompt" (or
"Disable" if you prefer).
These same procedures should be followed for the "Restricted Sites" Zone.

Additionally, users who cannot apply the patch immediately can disable
Active Scripting technologies in Internet Explorer to protect themselves
from this issue. Customers can use the Zones security feature in Internet
Explorer 4 to disable Active Scripting (VBScript and JScript) in untrusted
or unknown Internet sites, while still permitting known and trusted sites
that use JScript and VBScript to work properly.

To turn off Active Scripting for the "Internet" Zone:

>From Internet Explorer, choose "Internet Options" from the "View" menu.
Click on the tab labeled "Security".
Click on "Internet Zone", then click "Customize Settings".
Scroll to the bottom of the list and click on "Disable" under the "Active
Scripting" setting.
These same procedures should be followed for the "Restricted Sites" Zone.
Sites that are trusted to use JScript and VBScript can be added to the
Trusted Zones list. For more information on using Zones, please see the
Online Help included with Internet Explorer.

More Information
Please see the following references for more information related to this
issue.

Microsoft Security Bulletin MS98-015, Update available for "Untrusted
Scripted Paste" Issue in Microsoft Internet Explorer 4.01, (the Web posted
version of this bulletin),
http://www.microsoft.com/security/bulletins/ms98-015.htm
Microsoft Knowledge Base (KB) article Q169245, Update available for
"Untrusted Scripted Paste" Issue
http://support.microsoft.com/support/kb/articles/q169/2/45.asp
(Note: It might take 24 hours from the original posting of this bulletin for
the KB article to be visible in the Web-based Knowledge Base.)
Obtaining Support on this Issue
This is a supported patch for Internet Explorer. If you have problems
installing this patch or require technical assistance with this patch,
please contact Microsoft Technical Support. For information on contacting
Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp

Acknowledgements
This bug was first reported by Juan Carlos Garcia Cuartango from Spain.

Revisions

October 16, 1998: Bulletin Created
For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
---------------------------------------------