Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MS02-066 - fixes, gaps and incorrect statements

From: "GreyMagic Software" <security () greymagic com>
Date: Mon, 25 Nov 2002 19:05:28 +0200
In MS02-066 Microsoft claim they've fixed several Cross Domain
Verification problems. Unfortunately, they are not really clear on
which vulnerabilities they fix.


Fixed by MS02-066:

- javascript: URLs in sub-frames (Who framed).
- IFrame's "Document" property (D-Day).
- showModalDialog caching.
- createRange caching (partial).
- elementFromPoint caching.
- getElementById caching.
- getElementsByName caching.
- getElementsByTagName caching.
- execCommand caching.
- location.assign caching.
- location.replace caching.
- document.write caching.
- %2F URL encoding.

Not fixed:

- external caching.
- clipboardData caching.
- Many older ones.

Incorrect statements:

Microsoft is down-playing the impact of the vulnerabilities they talk about
in MS02-066.

"The vulnerabilities would only allow an attacker to read files on the user’
s local system that can be rendered in a browser window, such as image
files, HTML files and text files."

This is incorrect, the vulnerabilities would allow an attacker to read any
type of file, regardless of whether it can be rendered in the browser or
not, by using the XMLHTTP object.

Then they go on to say:

"The vulnerabilities would not provide any way for an attacker to put a
program of their choice onto another user’s system."

"An attacker would need to know the name and location of any file on the
system to successfully invoke it. "

"The vulnerabilities could only be used to view or invoke local executables.
It could not be used to create, delete, or modify arbitrary or malicious
files."

All of these 3 statements are incorrect. Using the HTML Help control, it is
possible to execute arbitrary commands as demonstrated by Andreas Sandblad
at http://online.securityfocus.com/archive/1/298748. This includes the
execution of arbitrary WSH script, which is able to perform all of the
actions outlined as impossible above.

We reported these problems to Microsoft and a new revision of the bulletin
should be released soon.
Previous By Date Next
Previous By Thread Next

Current thread: