Full Disclosure mailing list archives

Re: MS-Windows ME IE/Outlook/HelpCenter critical vulnerability

From: "Fozzy [Hackademy Audit]" <fozzy () dmpfrance com>
Date: Thu, 27 Feb 2003 09:24:59 +0100

Hi,

My statement was unclear with respect to Windows XP. I included this information about WinXP just for the record, to 
show that there is yet another vulnerability that could affect people running unpatched installations of  WinXP. I did 
not wanted to confuse people into thinking that up-to-date WinXP boxes have another hole.

So my statement about WinXP should read :
- if you run Windows XP unpatched, "out of the box", it is vulnerable to this issue (and, obviously, many other ones)
- if you did apply MS02-060 patch (also included in SP1 ?), which makes the Help Center behave very differently, you 
are _safe_.

I believe this is true. However, I am not a WinXP user, and I tried that 3 months ago, so I may be wrong or unclear. If 
someone has more accurate information, please post it on the list.

Also, a guy from Microsoft told me Windows 2000 does not have an Help Center, so obviously Win2000 should not be 
affected by this issue.


Fozzy


On Thu, 27 Feb 2003 08:55:23 -0800
"Quaker Oats" <quakeroats () hushmail com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Fozzy,

If you read MSFT's advisory, it seems as though they don't believe Windwos XP is vulnerable at all. This runs counter 
to what you're saying. What's the deal?


- -----Original Message-----
From: Fozzy [Hackademy Audit] [mailto:fozzy () dmpfrance com]
Sent: Thursday, February 27, 2003 12:08 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] MS-Windows ME IE/Outlook/HelpCenter critical
vulnerability


/BEGIN CLIP


- --[ Affected Systems ]--

- - Windows ME (any version)
- - Windows XP without SP1

Not vulnerable :
- - Windows XP with SP1

Status of Windows 2000 was not tested but is believed to be the same as
Windows XP.

/END CLIP



Quaker Oats

"...it's mmmm mmmm good"
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl8EARECAB8FAj5eQrgYHHF1YWtlcm9hdHNAaHVzaG1haWwuY29tAAoJEC2cw+XVsKna
mzsAniIHfWr3Cx1CXQipA1aF6FTlUf7ZAKCNL7udncX2CJFWvD4wPeC/UyVLng==
=pDoM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

MS-Windows ME IE/Outlook/HelpCenter critical vulnerability Fozzy [Hackademy Audit] (Feb 27)
- <Possible follow-ups>
- RE: MS-Windows ME IE/Outlook/HelpCenter critical vulnerability Quaker Oats (Feb 27)
  - Re: MS-Windows ME IE/Outlook/HelpCenter critical vulnerability Fozzy [Hackademy Audit] (Feb 27)