Re: Vulnerable cached objects in IE (9 advisories in 1)

From: Thor Larholm (thor@PIVX.COM)
Date: 10/23/02


Date:         Wed, 23 Oct 2002 15:49:50 +0200
From: Thor Larholm <thor@PIVX.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

After GreyMagic released their email advisory they updated the advisory on
their website. Appareantly, further testing revealed that IE6 SP1 did not
fix these holes in a generic way, and instead choose to apply security
checks on individual methods and properties.

These 2 properties seems to have been overlooked, and I suspect that many
more will follow in the category of caching vulnerabilities.

I can personally confirm through my own testing that the "external" and
"clipboardData" caching vulnerabilities are still unpatched even on IE6 SP1,
enabling cookie theft, local file reading and arbitrary command execution
even in IE6 SP1. Peer research (such as jelmers post on the bugtraq list)
reveals the same.

As such, I would take the words of the updatable website advisory over the
unchangable email advisory any day. IE 5.5 SP2 and IE6 SP1 are both
vulnerable, the latter just to a lesser extent.

Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Are You Secure?
http://www.PivX.com

-----Original Message-----
From: Holger Hasenstrauch [mailto:holger@RDT.CO.UK]
Sent: 23. oktober 2002 13:55
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Vulnerable cached objects in IE (9 advisories in 1)

This advisory on NTBugtraq says that IE6 SP1 is not vulnerable, but the
advisory on the website (http://sec.greymagic.com/adv/gm012-ie/) says:

"IE6 SP1 is vulnerable to the "external" and "clipboardData" vulnerabilities
and immune to the rest."

Can anyone clarify?

--
Holger Hasenstrauch

> -----Original Message----- > From: GreyMagic Software [mailto:security@GREYMAGIC.COM] > Sent: 22 October 2002 16:24 > Subject: Vulnerable cached objects in IE (9 advisories in 1) >

This message, and any attachments to it, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please notify administrator@rdt.co.uk and delete the material from any computer.



Relevant Pages

  • RE: Vulnerable cached objects in IE (9 advisories in 1)
    ... It's also worth mentioning that IE6 SP1 is vulnerable to the "clipboardData" ... The advisory and demonstration have been revised to reflect these and IE6 ...
    (Bugtraq)
  • [NEWS] Vulnerability Issues in Implementations of the H.323 Protocol (Generic)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... discovered a number of implementation specific vulnerabilities in the ... The severity of these vulnerabilities varies by vendor. ...
    (Securiteam)
  • [NEWS] Openfire Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Openfire Multiple Vulnerabilities ...
    (Securiteam)
  • Re: SECUNIA warning:[SA16041] Kerberos V5 Multiple Vulnerabilities
    ... the Kerberos v5 specification, done by Microsoft. ... Kerberos V5 Multiple Vulnerabilities ... > Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- ... > SECUNIA ADVISORY ID: ...
    (microsoft.public.security)
  • RE: php pack() security update
    ... I'm waiting for redhat to release updates for php on as3. ... SECUNIA ADVISORY ID: ... Multiple vulnerabilities have been reported in PHP, ... Successful exploitation requires that PHP runs on a multi-threaded ...
    (RedHat)