Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: MS05-044 Folder View for FTP Sites - mailbag item - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS05-044 Folder View for FTP Sites - mailbag item
This is my slightly edited email response to a great point about Microsoft's MS05-044 Security Bulletin, it is a result of email exchanges with a contributor who wishes to remain anonymous;

Hi,

Well, Microsoft makes "Folder View for FTP Sites" a complex subject and certainly one I may be able to post "Workaround" information on in a Diary post.

AFAICT there are many variables involved in OS and IE "installation" (oem settings, etc) that can affect FTP Folder views. I did read a ton of MS KB's and the two best on the specific issue are referenced below. And I really appreciate your polite persistence in pushing me to read up on this important item. Thank you!.

You're right that MS is misleading in it's Security Bulletin presentation. Because so many factors like OEM and customer installation settings can enable the FTP folder view the Security Bulletin should state a clear workaround on how to look for it in IE advanced tab and clearly state that you can disable it by unchecking/clearing it.

In the bulletin, in the "Mitigating Factors for FTP Client Vulnerability - CAN-2005-2126:" section MS says;
"By default, the "Enable Folder View for FTP Sites" Internet Explorer setting is disabled on all affected operating system versions. An attacker would only be successful if the user manually enables the "Enable Folder View for FTP Sites" Internet Explorer setting on the affected system." This is clearly misleading!

And in the "Workarounds for FTP Client Vulnerability - CAN-2005-2126:" section they only say "Do not download files from un-trusted FTP servers" when they should ADD;

"YOU CAN DISABLE FTP FOLDER VIEW;
To disable FTP Folders, follow these steps:
1. Click Start, point to Settings, click Control Panel, and then double-click Internet Options.
2. Click the Advanced tab.
3. Under Browsing, to disable FTP Folders, CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box.
NOTE: When you CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box, you are disabling FTP Folder functionality.

So let me try and work something up on that end and see if I can get it into the diary.

Highest regards,

Pat

No option to install Web Folders when you install Internet Explorer 6
Article ID : 298637
Last Review : June 20, 2005
Revision : 5.0

How to Install and Use FTP Folders
Article ID : 217888
Last Review : September 28, 2004
Revision : 3.1  
Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!