lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 24 Sep 2003 13:20:57 -0700
From: "Thor Larholm" <thor@...x.com>
To: "CERT(R) Coordination Center" <cert@...t.org>
Cc: "CERT(R) Coordination Center" <cert@...t.org>,
	"Mark Coleman" <markc@...ontown.com>, <bugtraq@...urityfocus.org>
Subject: RE: [Fwd: Re: AIM Password theft]  VU#865940

Art,
 
You are correct, I should not have replied to Mark when I had not yet had my morning coffee. The dynamic rendering of OBJECT elements still trigger the HTA functionality exposed in Windows. Personally, though, I see this as an unrelated vulnerability regarding static/dynamic code rendering which has a greater impact than just allowing HTA code to execute.
 
Both GM#001 and thePulls POC, which malware cites, are one and the same issue instead of two separate, they both trigger the dynamic rendering of HTML instead of the static - GM#001 just does this without requiring scripting.
 
 
 
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities
 
 
 

	-----Original Message----- 
	From: CERT(R) Coordination Center [mailto:cert@...t.org] 
	Sent: Wed 9/24/2003 11:35 AM 
	To: Thor Larholm 
	Cc: CERT(R) Coordination Center; Mark Coleman; bugtraq@...urityfocus.org 
	Subject: RE: [Fwd: Re: AIM Password theft] VU#865940
	

	At the present, the patch for MS03-032 breaks one of at least three
	exploit techniques.  The patch does not resolve the vulnerability.
	MS03-032 acknowledges this.  I have seen several examples of this
	vulnerability being exploited in the wild.
	In particular, the current MS03-32 patch doesn't account for an HTML
	document created via XML/data binding:
	
	  <http://greymagic.com/adv/gm001-ie/>
	
	The patch also does not account for an HTML document created via
	script:
	
	  <http://www.securityfocus.com/archive/1/336616>
	
	             Art Manion  --  CERT Coordination Center

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ