Full Disclosure mailing list archives
Re: Yet another IE aperture
From: "GreyMagic Security" <security () greymagic com>
Date: Sat, 9 Oct 2004 16:01:18 +0200
can you comment on this testcases: http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo2.html http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo.html
Interesting, both your exploit code as well as the exploit code we provide in the advisory (Exploit section) do work flawlessly, it's an implementation detail in the live PoC that's being blocked. Quite a regression for Microsoft. The reason we were getting Access denied errors is because of the way the live PoC was implemented. Apparently, the patch is still applicable when the XML script block is dynamically included via document.write(). Strangely enough, the regression only applies to static HTML script blocks. To those looking to test this on any document, we updated the live PoC to use a static script block and it now works again. http://www.greymagic.com/security/advisories/gm009-ie/ We added the following update to the original advisory: ... Update - 9 Oct 2004 Apparently, there has been a regression in Internet Explorer that caused it to be vulnerable to this issue once again. The regression was spotted by Georgi Guninski. Interestingly enough, the regression is only visible when the <script> block is static in the page, dynamic blocks (via document.write) are protected. ... Cheers _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yet another IE aperture Georgi Guninski (Oct 07)
- <Possible follow-ups>
- Re: Yet another IE aperture GreyMagic Security (Oct 08)
- Re: Yet another IE aperture Georgi Guninski (Oct 09)
- Re: Yet another IE aperture GreyMagic Security (Oct 09)
- Re: Re: Yet another IE aperture Christian (Oct 10)
- Re: Yet another IE aperture Georgi Guninski (Oct 09)
- Re: Yet another IE aperture Aviv Raff (Oct 09)