Summary: IE DoS in W2K and XP

From: 'ken'@FTU
Date: 06/27/02 

Date: Wed, 26 Jun 2002 21:48:35 -0400
From: "'ken'@FTU" <ken_at_ftu@yahoo.com>
To: bugtraq@securityfocus.com, bugs@securitytracker.com

This email does the following:

1. Reports two more cases
2. States my official position
3. Answer some concerns I received in private correspondence

1. Two other reported cases. NOTE: I did not test these cases.

The odd gaim case (which I asked for more details...)

===== Case One =====
Hello, i have tested it and it seems to work.
however i would also like to point out that i linked my friend who was
on Freebsd 4.6 and it crashed his Gaim session. I then tested it on my
bsd4.5 and it did the same
====================

===== Case Two =====
Note that the above crashes everything that uses IE, including Visual
Studio.NET, Frontpage, Outlook/Express, etc.
====================

2. My official position:

I tend to agree with Microsoft, actually. My reason for posting was
simple: some people may have a wider scope of a DoS attack then the
definitions laid out by Microsoft. Also, it seems that the ease of
inserting this code somewhere makes it a nuisance.

Please note that I mentioned in my original post that this would be more
of an inconvience than a vulnerability that would cause damage of some type.

3. Answer to some concerns...

For those worried that Microsoft will sit on this problem, MS told me
that this would be submitted as a bug report to the proper department.

To those with limited XSS imagination: what about an ecommerce site with
a bulletin board or some type of posting mechanism (eBay)?

To the individual who thought I claimed this was worthy of a hotfix:
re-read my post, study your security and please read *carefully*
**before** sending me an email.

Until we meet again...

Yours,
'ken'@FTU 

-- 
"I grew convinced that truth, sincerity and integrity in dealings 
between man and man were of the utmost importance to the felicity of 
life, and I formed a written resolution to practice them ever while I 
lived."
	-Benjamin Franklin, The Autobiography of Benjamin Franklin

Relevant Pages

  • RE: Unable to Veiw Performance Reports after WSUS was removed
    ... Microsoft CSS Online Newsgroup Support ... Unable to Veiw Performance Reports after WSUS was removed ... SQL database for monitoring component. ... Open Server Management. ...
    (microsoft.public.windows.server.sbs)
  • RE: Server Usage Report - Email Data not available
    ... it may take about 24 hours to re-generate reports. ... Microsoft CSS Online Newsgroup Support ... |> SQL database for monitoring component by rerun Setup Monitoring Reports ... |> If we cannot resolve the issue after we perform the above steps, ...
    (microsoft.public.windows.server.sbs)
  • RE: Server Usage Report - Email Data not available
    ... it may take about 24 hours to re-generate reports. ... Microsoft CSS Online Newsgroup Support ... Server Usage Report - Email Data not available ... |> SQL database for monitoring component by rerun Setup Monitoring Reports ...
    (microsoft.public.windows.server.sbs)
  • [Full-disclosure] Fwd: IE7 is a Source of Problem - Secunia IE7 Release Incident of October
    ... IE7 is a Source of Problem - Secunia IE7 Release Incident ... I am not defending Microsoft. ... and Microsoft say "These reports are technically inaccurate: ... if you have to write down a vulnerability report on it?. ...
    (Full-Disclosure)
  • Re: Access Web Application
    ... Co-author - Microsoft Office Access 2007 Inside Out ... I'm not exactly sure how many forms, reports, etc, but I want to make it ... It holds all items, sales history, etc. ... the central Server every hour with all updates. ...
    (microsoft.public.access.modulesdaovba)