Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

[pre <pre () geekgang co uk>]

(replying to two postings in one reply)

Quoting Stephen Cope <mail () nonsense kimihia org nz>:
> This has been its /modus operandi/ for over four years:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;239750
>
>     Microsoft Knowledge Base Article - 239750
>     "Text/Plain" Content-Type Header Field Is Ignored

That article is at best out of date. It doesn't list any products past NT4 or
IE5, when in fact everything after NT4 and IE5 is still vulnerable, including a
fully patched XP and IE6.

I tested the registry entry mentioned in that article and it has no effect on
XP/IE6. I'm not convinced they are even trying to address the same issue with
that particular 'fix'.

I've put up a page at the following URL you can use to test your browser:

http://www.geekgang.co.uk/test/ietest.php


On Mon, 2003-07-28 at 09:00, Fabio Pietrosanti (naif) wrote:
> MIME Type Detection in Internet Explorer explained here:
>
> http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp

Yes, it is explained there, but that doesn't excuse MS refusing to fix this
security hole. They should at a minimum ship their OS's in a secure state - and
at the very very least provide an option for turning this off.

As noted above, this has been known for four years - so much for the MS Secure
Computing Initative - it's laughable.

cheers,
pre.