Bugtraq mailing list archives
NT4.0 SP3 Still vulnerable
From: pokee () MAXWELL EE WASHINGTON EDU (Aaron Spangler)
Date: Thu, 15 May 1997 12:11:49 PDT
I reported an Internet Explorer Security hole more than 2 months ago to Microsoft. The bug allows Websites to capture usernames and encrypted passwords from unsuspecing Windows NT users who have Internet Explorer. At first Microsoft told me they would Patch Internet Explorer. Then Internet Explorer 3.02 which was supposed to fix ALL of the security holes from that month. (According to MS's Web page) But IE 3.02 did not fix the security hole! Then Microsoft told me that NT 4.0 Service Pack 3 will definitely fix the whole. I just downloaded it. It does NOT fix the security hole! I lightly urge only those BUGTRAQ readers who feel that this is an important security issue to send non-threatening email to "secure () microsoft com" to kindly request them to fix this hole. To date, microsoft has not fixed this and similiar security holes! Maybe a expoit code release to BUGTRAQ is in order to help speed things up. By the way, I have been conversing with CERT the last 2 months, and they still believe that Microsoft will fix the problem and CERT does not want to issue an Advisory until the bug is fixed. However CERT should atleast be notifing administrators to warn users not to use Internet Explorer until this bug is fixed. Thanks for all your help. http://www.ee.washington.edu/computing/iebug/ -- Aaron Spangler EE Unix System Administrator Electrical Engineering FT-10 pokee () ee washington edu University of Washington Phone (206) 543-8984 Box 352500 or (206) 543-2523 Seattle, WA 98195-2500 Fax (206) 543-3842
Current thread:
- New Win95 OOB fix allows Netbios to be used, (continued)
- New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
- UPDATE TO OOB FIX Aaron Weintraub (May 12)
- Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
- UPDATE TO OOB FIX Wojciech Swieboda (May 13)
- Re: ELM overflow security () home bti pl (May 14)
- Re: ELM overflow Michel GAUDET (May 16)
- New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
- potential root exploit with help from sam (HP-UX 10.x) David Hyams (May 14)
- Re: potential root exploit with help from sam (HP-UX 10.x) Trevor Schroeder (May 14)
- Sun Security Bulletin #00140 Sun Security Coordination Team (May 14)
- Non-executable stack -- final Linux kernel patch Solar Designer (May 14)
- NT4.0 SP3 Still vulnerable Aaron Spangler (May 15)
- MicroSolved finds hole in Ascom Timeplex Router Security Brent Huston (May 15)