Full Disclosure mailing list archives
Re: MS02-065 vulnerability
From: Georgi Guninski <guninski () guninski com>
Date: Fri, 22 Nov 2002 20:19:36 +0200
There is a public demo (without the m$ dll) since least 6 May 2002 http://www.guninski.com/signedactivex2.html which shows introducing old buginess.How irresponsible of micro$oft to not warn their luser base back then about the real solution.
Anyway, lusers may think twice when marketoids claim Paladium and its signatures are good things, lol.
Georgi Guninski http://www.guninski.com Paul Szabo wrote:
Microsoft security bulletin http://www.microsoft.com/technet/security/bulletin/ms02-065.asp contains the caveat "a patched system could be made vulnerable again [by] visit a web site or open an HTML mail". We have a execute-any-code vulnerability, exploitable by a Web page or email; the patch can be undone by a Web page or email. Just as exploitable after the patch. Is this what Microsoft calls "responsible disclosure"? Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia PS: The above applies to IE only; I know that the patch is needed also for IIS and maybe others. Do not let details get in the way of a good story. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MS02-065 vulnerability Paul Szabo (Nov 22)
- Re: MS02-065 vulnerability Georgi Guninski (Nov 22)
- Re: MS02-065 vulnerability HggdH (Nov 22)
- <Possible follow-ups>
- Re: MS02-065 vulnerability Paul Szabo (Nov 23)
- Re: MS02-065 vulnerability HggdH (Nov 23)