Bugtraq mailing list archives
RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 13 Aug 2003 09:36:25 -1000
What about pointing the OBJECT tag codebase to a known, or probable, location on the victim's own hard drive? ActiveX never implemented any type of "same origin policy" the way JavaScript does, so a local codebase reference should work as a technique to silently activate any Microsoft-signed ActiveX control. But I could be mistaken, this is commentary from memory not experimental result. I'd much rather spend my time conducting security audits of Linux and trying to help those companies threatened by SCO's copyright claims defend themselves in court. Jason Coombs jasonc () science org -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Thor Larholm Sent: Wednesday, August 13, 2003 8:22 AM To: Tri Huynh; bugtraq () securityfocus com Cc: full-disclosure () lists netsys com Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you can plant it on the users machine just by pointing the codebase attribute of your OBJECT tag to an archived copy of the file on your own server. This also applies to other outdated ActiveX controls, even when a newer (patched) version exists and is installed on the users machine you can still re-introduce the old, buggy version since it is digitally signed by Microsoft. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher
Current thread:
- RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow Jason Coombs (Aug 13)
- RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow Drew Copley (Aug 14)