Re: Workaround for stopping MS2003-030 exploitation via HTML? [VU#561284]
From: CERT(R) Coordination Center (cert_at_CERT.ORG)
Date: 07/30/03
- Previous message: CERT Advisory: "CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 12:46:21 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-----BEGIN PGP SIGNED MESSAGE-----
Jeff For:Ex Johnson <Jeff.S.Johnson@gems1.gov.bc.ca> writes:
>CERT recently issued an advisory about this vulnerability (CA-2003-18,
>http://www.cert.org/advisories/CA-2003-18.html) that said that setting the
>Internet Explorer 'Run ActiveX Controls' security setting to disable in
>appropriate IE security zones would prevent exploitation of this in web
>pages and HTML-format email. This sort of makes sense, since media player
>can be used as an ActiveX control.
>
>Can anyone confirm that this is really true, though?
I've corresponded with Jeff off-list, and as a result, the workaround
in CA-2003-18 has been re-written:
<http://www.cert.org/advisories/CA-2003-18.html>
In particular, this sentence from the original workaround was just
wrong:
"This modification [disable ActiveX and plug-ins] will prevent MIDI
files from being automatically loaded from HTML documents."
So thanks to Jeff for his skepticism and help in researching the
various ways to get IE/Outlook/Outlook Express to load MIDI files.
Some interesting results:
<EMBED src=x.mid> Run ActiveX controls and plug-ins
<BGSOUND src=x.mid> Play sounds in web pages
<IMG dynsrc=x.mid> Play videos in web pages
Fully patched WinXP/Outlook Express 6 SP1 loads a MIDI file despite
the "Play sounds/videos" settings.
As an aside, CERT/CC Advisories (and most of our other documents)
contain email links, and we welcome feedback, criticism, comments,
etc.
Regards,
- Art
Art Manion -- CERT Coordination Center
<http://www.cert.org/> <cert@cert.org> +1 412-268-7090
E0 1E DF F5 FC 76 00 32 77 8F 25 F7 B0 2E 2C 27
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBPyf7NGjtSoHZUTs5AQE3QgP/bUjAl2irS3lnPyRPR6CAPC4qE10ii0OI
YUCIv7rSO+4f1ba9F7Zgocwc/sSN+k6ng/qpxKeypjwag/RoCyzmVqlPsRt1oZ0e
w7rSOWa6CS1PasMnXHk+ZpBVJhfHV3CwPE0h7lhjYtOgERPztuhfXeIf1UIyO2qN
wS2fjAodDiQ=
=9YCI
-----END PGP SIGNATURE-----
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: CERT Advisory: "CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
