| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jul 2003 09:53:40 +0100 (BST)
From: pre <pre@...kgang.co.uk>
To: Stephen Cope <mail@...sense.kimihia.org.nz>,
Fabio Pietrosanti <fabio@...trosanti.it>
Subject: Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
(replying to two postings in one reply)
Quoting Stephen Cope <mail@...sense.kimihia.org.nz>:
>
> This has been its /modus operandi/ for over four years:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;239750
>
> Microsoft Knowledge Base Article - 239750
> "Text/Plain" Content-Type Header Field Is Ignored
>
That article is at best out of date. It doesn't list any products past NT4 or
IE5, when in fact everything after NT4 and IE5 is still vulnerable, including a
fully patched XP and IE6.
I tested the registry entry mentioned in that article and it has no effect on
XP/IE6. I'm not convinced they are even trying to address the same issue with
that particular 'fix'.
I've put up a page at the following URL you can use to test your browser:
http://www.geekgang.co.uk/test/ietest.php
On Mon, 2003-07-28 at 09:00, Fabio Pietrosanti (naif) wrote:
> MIME Type Detection in Internet Explorer explained here:
>
> http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
>
Yes, it is explained there, but that doesn't excuse MS refusing to fix this
security hole. They should at a minimum ship their OS's in a secure state - and
at the very very least provide an option for turning this off.
As noted above, this has been known for four years - so much for the MS Secure
Computing Initative - it's laughable.
cheers,
pre.
Powered by blists - more mailing lists