I wanted to take a minute and take a quick look at MS08-050. This was the recently released Microsoft Security Bulletin fixing a vulnerability in Windows Messenger. What I don't get is the Maximum Severity Impact of 'Information Disclosure'. From the Microsoft Advisory:
Scripting of a particular ActiveX control, Messenger.UIAutomation.1, could allow information disclosure from these programs in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user’s logon ID and remotely log on to the user’s Messenger client as that user.
Now, maybe I'm missing something here but since when is something that is interactive solely information disclosure? If I can change state, initiate audio and video sessions and log on to the user's client... I'd say that's a little more than 'Information Disclosure'. Given that most XP users will have this installed (given that it ships with the operating system), I would think this becomes slightly more important than an 'Information Disclosure'.
Does anyone have any insight on how Microsoft selects these ratings? I would really like to know the thought process that lead to this being labeled 'Information Disclosure'.
Comments (2)
Odd, seems like the rating given was based on the vulnerability itself rather than the impact of that vulnerability. An error I often see, seeing it from MS however is a bit odd.
Posted by Thierry Zoller | August 20, 2008 12:18 PM
Posted on August 20, 2008 12:18
So, a lot of times, one issue leads to another. So you use the first, most obvious class, and move on to a richer textual description.
After all, there's situations where tampering leads to EoP...if you follow your logic, you end up with everything as EoP eventually.
Not speaking for my employer.
Posted by Adam | August 24, 2008 10:51 AM
Posted on August 24, 2008 10:51