| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski) Subject: MS02-065 vulnerability There is a public demo (without the m$ dll) since least 6 May 2002 http://www.guninski.com/signedactivex2.html which shows introducing old buginess. How irresponsible of micro$oft to not warn their luser base back then about the real solution. Anyway, lusers may think twice when marketoids claim Paladium and its signatures are good things, lol. Georgi Guninski http://www.guninski.com Paul Szabo wrote: > Microsoft security bulletin > http://www.microsoft.com/technet/security/bulletin/ms02-065.asp > contains the caveat "a patched system could be made vulnerable again [by] > visit a web site or open an HTML mail". We have a execute-any-code > vulnerability, exploitable by a Web page or email; the patch can be undone > by a Web page or email. Just as exploitable after the patch. > > Is this what Microsoft calls "responsible disclosure"? > > Cheers, > > Paul Szabo - psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ > School of Mathematics and Statistics University of Sydney 2006 Australia > > > PS: The above applies to IE only; I know that the patch is needed also for > IIS and maybe others. Do not let details get in the way of a good story. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > >
Powered by blists - more mailing lists