lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200211230934.gAN9Yc7253926@milan.maths.usyd.edu.au>
From: psz at maths.usyd.edu.au (Paul Szabo)
Subject: MS02-065 vulnerability

HggdH <hggdh@...bi.com> wrote:
> . From: "Paul Szabo" <psz@...hs.usyd.edu.au>
> . [[ MS02-065 is ] Just as exploitable after the patch. ]
> 
> Quoting: "What steps could I follow to prevent the control from being
> silently re-introduced onto my system? The simplest way is to make sure you
> have no trusted publishers, including Microsoft."

The work-arounds suggested by Microsoft probably work. They might even
"come clean" and suggest to disable ActiveX, or even go as far as to ask
users to "get off" IE (and use Netscape or Mozilla or whatever), or to
upgrade to Linux.

The fact remains that installing the patch does not protect the (IE) user.

> . Is this what Microsoft calls "responsible disclosure"?
> 
> The real interesting part, for me, is that the trust on the trusting
> mechanism has been shattered. Finally.

Agreed.

Cheers,

Paul Szabo - psz@...hs.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ