Bugtraq mailing list archives

RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8

From: "GreyMagic Software" <security () greymagic com>
Date: Wed, 24 Jul 2002 16:54:35 +0200

Microsoft and Andreas suggest the following workarounds:

2. disable "allow paste operations via script" (best)
3. disable active scripting


Using these workarounds is currently futile for users with Office installed.
The clipboard text can be set regardless of configuration as we've shown in
GM#007-IE, and disabling scripting can be easily circumvented as we've shown
in GM#005-IE.

These vulnerabilities have been disclosed 3.5 months ago and still haven't
been patched.

References:
http://sec.greymagic.com/adv/gm005-ie/
http://sec.greymagic.com/adv/gm007-ie/

But even without these workarounds the severity of this vulnerability is
low-medium at best since it requires a non-trivial user interaction.

- GMS

Current thread:

Pressing CTRL in IE is dangerous - Sandblad advisory #8 Andreas Sandblad (Jul 23)
- RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8 GreyMagic Software (Jul 24)
- Re: Pressing CTRL in IE is dangerous - Sandblad advisory #8 Peter Pentchev (Jul 24)
- <Possible follow-ups>
- RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8 Thor Larholm (Jul 24)