[Dshield] FW: Windows 9x Security Update Beta Invite

M Cook dshieldlists at versateam.com
Sat Dec 6 19:26:16 GMT 2003


I think one would find that they say they won't *distribute* patches by 
email. They notify people about the availability of patches all the time 
by email. Some of the patches (e.g. a service pack) are available as CDs 
to be ordered, so I would say that the patch is thereby marketed by 
email (even though you have to go to a M$ web site to order it), there 
being a difference between marketing (advertising) something and 
distributing it.

One could say that this "come participate in a beta test" email by 
Microsoft (almost surely legit) is so close to the "come change your 
account settings" spoofing techniques being used against paypal and ebay 
(definitely *not* legit) that Microsoft should be strongly encouraged to 
stop using it. I agree, though, that I would recommend to local users 
that they be very careful with such an invitation, and if they needed a 
rule, the rule would be "don't trust things that look like this".

I'd also second the notion that the path to betaplace.com should at 
least start at microsoft.com, though the ebay/paypal spoofs show that a 
spoofed web address can be made to look legitimate. Microsoft (or any 
other company that is a potential target for malicious exploits) needs 
to minimize/simplify (make foolproof?) the number of techiques a user 
must learn in order to verify its products or messages. The problem 
isn't so much that betaplace.com isn't secure or legitimate, it is that 
many mere mortals won't be able to distinguish between this legitimate 
invitation and one that is spoofed. Just the number of emails on this 
list describing how to analyze the certificate hierarchy or work through 
IE quirks and bugs to verify the site's validity supports the notion 
that this is way too complex for a normal user, and therefore the 
security expert's rule would be "don't trust it".

Alan Frayer wrote:

>Since Microsoft has already stated 1) that they wouldn't market patches
>by e-mail, and 2) they would no longer provide free support of the 9x
>series, and since the web site they want you to visit isn't part of
>Microsoft's vast domain, I'm going to say no, this is not legit.
>  
>
>




More information about the list mailing list