[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: guninski at guninski.com (Georgi Guninski)
Subject: MS02-065 vulnerability
There is a public demo (without the m$ dll) since least 6 May 2002
http://www.guninski.com/signedactivex2.html
which shows introducing old buginess.
How irresponsible of micro$oft to not warn their luser base back then about the
real solution.
Anyway, lusers may think twice when marketoids claim Paladium and its signatures
are good things, lol.
Georgi Guninski
http://www.guninski.com
Paul Szabo wrote:
> Microsoft security bulletin
> http://www.microsoft.com/technet/security/bulletin/ms02-065.asp
> contains the caveat "a patched system could be made vulnerable again [by]
> visit a web site or open an HTML mail". We have a execute-any-code
> vulnerability, exploitable by a Web page or email; the patch can be undone
> by a Web page or email. Just as exploitable after the patch.
>
> Is this what Microsoft calls "responsible disclosure"?
>
> Cheers,
>
> Paul Szabo - psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
> School of Mathematics and Statistics University of Sydney 2006 Australia
>
>
> PS: The above applies to IE only; I know that the patch is needed also for
> IIS and maybe others. Do not let details get in the way of a good story.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
Powered by blists - more mailing lists