Full Disclosure mailing list archives

Re: MS02-065 vulnerability

From: psz () maths usyd edu au (Paul Szabo)
Date: Sat, 23 Nov 2002 20:34:38 +1100 (EST)

HggdH <hggdh () attbi com> wrote:

. From: "Paul Szabo" <psz () maths usyd edu au>
. [[ MS02-065 is ] Just as exploitable after the patch. ]

Quoting: "What steps could I follow to prevent the control from being
silently re-introduced onto my system? The simplest way is to make sure you
have no trusted publishers, including Microsoft."


The work-arounds suggested by Microsoft probably work. They might even
"come clean" and suggest to disable ActiveX, or even go as far as to ask
users to "get off" IE (and use Netscape or Mozilla or whatever), or to
upgrade to Linux.

The fact remains that installing the patch does not protect the (IE) user.

. Is this what Microsoft calls "responsible disclosure"?

The real interesting part, for me, is that the trust on the trusting
mechanism has been shattered. Finally.


Agreed.

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

MS02-065 vulnerability Paul Szabo (Nov 22)
- Re: MS02-065 vulnerability Georgi Guninski (Nov 22)
- Re: MS02-065 vulnerability HggdH (Nov 22)
- <Possible follow-ups>
- Re: MS02-065 vulnerability Paul Szabo (Nov 23)
  - Re: MS02-065 vulnerability HggdH (Nov 23)