Bugtraq mailing list archives

RE: BAD NEWS: Microsoft Security Bulletin MS03-032

From: Nathan Wallwork <owen () pungent org>
Date: Tue, 9 Sep 2003 14:17:33 -0600 (MDT)

On Mon, 8 Sep 2003, Drew Copley wrote:

The only sure way to detect this, I already wrote about [to Bugtraq]. That
is by setting a firewall rule which blocks the dangerous mimetype string
[Content-Type: application/hta]. Everything else in the exploit can change.


Just so we are clear, the firewall wouldn't tbe he right place to catch 
this because that string could be split by packet fragmentation, so you'd 
need to look for it at an application level, after the data stream 
has been reassembled.  

Of course, if anyone thinks it is easier to protect their browser with a 
proxy than fix the browser they've got other issues.

Current thread:

BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 another temporary solution Igor Franchuk (Sep 10)
- <Possible follow-ups>
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
  - RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 08)
    - RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 10)
    - RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
    - Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
  - Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 09)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thor Larholm (Sep 09)