NT4.0 SP3 Still vulnerable

[pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)]

I reported an Internet Explorer Security hole more than 2 months ago to
Microsoft.  The bug allows Websites to capture usernames and encrypted
passwords from unsuspecing Windows NT users who have Internet Explorer.

At first Microsoft told me they would Patch Internet Explorer.  Then
Internet Explorer 3.02 which was supposed to fix ALL of the security
holes from that month.  (According to MS's Web page)

But IE 3.02 did not fix the security hole!

Then Microsoft told me that NT 4.0 Service Pack 3 will definitely fix the
whole.

I just downloaded it.  It does NOT fix the security hole!

I lightly urge only those BUGTRAQ readers who feel that this is an important
security issue to send non-threatening email to "secure () microsoft com" to
kindly request them to fix this hole.

To date, microsoft has not fixed this and similiar security holes!  Maybe a
expoit code release to BUGTRAQ is in order to help speed things up.

By the way, I have been conversing with CERT the last 2 months, and they
still believe that Microsoft will fix the problem and CERT does not want
to issue an Advisory until the bug is fixed.  However CERT should atleast be
notifing administrators to warn users not to use Internet Explorer until
this bug is fixed.

Thanks for all your help.

     http://www.ee.washington.edu/computing/iebug/

--
Aaron Spangler                 EE Unix System Administrator
Electrical Engineering FT-10        pokee () ee washington edu
University of Washington            Phone    (206) 543-8984
Box 352500                             or    (206) 543-2523
Seattle, WA 98195-2500              Fax      (206) 543-3842