Full Disclosure mailing list archives

Re: MS02-065 vulnerability

From: Georgi Guninski <guninski () guninski com>
Date: Fri, 22 Nov 2002 20:19:36 +0200

There is a public demo (without the m$ dll) since least 6 May 2002
http://www.guninski.com/signedactivex2.html
which shows introducing old buginess.

How irresponsible of micro$oft to not warn their luser base back then about thereal solution.

Anyway, lusers may think twice when marketoids claim Paladium and its signaturesare good things, lol.


Georgi Guninski
http://www.guninski.com

Paul Szabo wrote:

Microsoft security bulletin
  http://www.microsoft.com/technet/security/bulletin/ms02-065.asp
contains the caveat "a patched system could be made vulnerable again [by]
visit a web site or open an HTML mail". We have a execute-any-code
vulnerability, exploitable by a Web page or email; the patch can be undone
by a Web page or email. Just as exploitable after the patch.

Is this what Microsoft calls "responsible disclosure"?

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


PS: The above applies to IE only; I know that the patch is needed also for
IIS and maybe others. Do not let details get in the way of a good story.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

MS02-065 vulnerability Paul Szabo (Nov 22)
- Re: MS02-065 vulnerability Georgi Guninski (Nov 22)
- Re: MS02-065 vulnerability HggdH (Nov 22)
- <Possible follow-ups>
- Re: MS02-065 vulnerability Paul Szabo (Nov 23)
  - Re: MS02-065 vulnerability HggdH (Nov 23)