RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer

From: Steve (steve@securesolutions.org)
Date: 11/21/01


From: "Steve" <steve@securesolutions.org>
To: <vuln-dev@securityfocus.com>
Subject: RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer 
Date: Wed, 21 Nov 2001 13:37:07 -0700
Message-ID: <000001c172cc$4abf9950$2165b8a1@workstation>

This is a perfect example of why the "new suggested disclosure policy"
won't work. There is no way to determine if this so called alert is
true or false. The alert is so generic that most will disregard it as
BS -- so why bother with an alert in the first place? There is zero
value in this type of advisory other than increased FUD.

> Problem:
> ||||||||||||||||||||||||||||||||
>
> There is a critical flaw within the html parser of Internet
> Explorer and its interpretation of certain html tags relative
> to the HKEY_CLASSES_ROOT\htmlfile_FullWindowEmbed key.

Too generic -- there have already been multiple discoveries by others
within the html parser.

 

> Exploit:
> ||||||||||||||||||||||||||||||||
>
> In accordance with the new suggested policy of responsible
> disclosure, no exploit and no further details will be made
> available at this time to the general public or the vendor.

Great policy -- no information, just general FUD.

> In 60 days from publication of this advisory full working
> exploits and details will be made available to the general
> public and vendor at the same time.

Actually, I think the policy states that you are to be working with the
vendor and not releasing anything to the public.

> Workaround:
> ||||||||||||||||||||||||||||||||
>
> Create a Registry Entry file .reg, click on it or right click
> and select merge.

Sure.... That could fix a lot of things.

> Additional Information:
> ||||||||||||||||||||||||||||||||
>
> The Common Vulnerabilities and Exposures (CVE) project has reserved a
name for this issue. This is a candidate for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems. Candidates may change
> significantly before they become official CVE entries.

Did a quick search of CAN#s over at mitre and found no new IE candidates
but there is the following (quite a few of em):

CAN-2001-0817
Phase: Assigned (20011115)

Description:
** RESERVED ** This candidate has been reserved by an organization or
individual that will use it when announcing a new >security problem.
When the candidate has been publicized, the details for this candidate
will be provided.

Votes:



Relevant Pages