Vulnerability Development mailing list archives
RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer
From: "Steve" <steve () securesolutions org>
Date: Wed, 21 Nov 2001 13:37:07 -0700
This is a perfect example of why the "new suggested disclosure policy" won't work. There is no way to determine if this so called alert is true or false. The alert is so generic that most will disregard it as BS -- so why bother with an alert in the first place? There is zero value in this type of advisory other than increased FUD.
Problem: |||||||||||||||||||||||||||||||| There is a critical flaw within the html parser of Internet Explorer and its interpretation of certain html tags relative to the HKEY_CLASSES_ROOT\htmlfile_FullWindowEmbed key.
Too generic -- there have already been multiple discoveries by others within the html parser.
Exploit: |||||||||||||||||||||||||||||||| In accordance with the new suggested policy of responsible disclosure, no exploit and no further details will be made available at this time to the general public or the vendor.
Great policy -- no information, just general FUD.
In 60 days from publication of this advisory full working exploits and details will be made available to the general public and vendor at the same time.
Actually, I think the policy states that you are to be working with the vendor and not releasing anything to the public.
Workaround: |||||||||||||||||||||||||||||||| Create a Registry Entry file .reg, click on it or right click and select merge.
Sure.... That could fix a lot of things.
Additional Information: |||||||||||||||||||||||||||||||| The Common Vulnerabilities and Exposures (CVE) project has reserved a
name for this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems. Candidates may change
significantly before they become official CVE entries.
Did a quick search of CAN#s over at mitre and found no new IE candidates but there is the following (quite a few of em): CAN-2001-0817 Phase: Assigned (20011115) Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new >security problem. When the candidate has been publicized, the details for this candidate will be provided. Votes:
Current thread:
- [ALERT] Remote File Execution By Web or Mail: Internet Explorer hush . little . baby (Nov 21)
- RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Steve (Nov 21)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Mariusz Mazur (Nov 22)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Robert Collins (Nov 22)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Bill Weiss (Nov 22)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Glenn Valenta (Nov 23)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Bill Weiss (Nov 25)
- Re[2]: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Mariusz Mazur (Nov 23)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Markus Kern (Nov 23)
- <Possible follow-ups>
- RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Ben Smee (Nov 22)
- Re[2]: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Mariusz Mazur (Nov 23)
- Re: [ALERT] Remote File Execution By Web or Mail: Internet Explorer Thomas Schweikle (Nov 27)