lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <DCE76463749C64499892A0DB3AF05AC603BFE6E6@CHALLENGER>
From: LevinsonK at STARS-SMI.com (Levinson, Karl)
Subject: Notepad popups in Internet Explorer and Out
	look

Microsoft stated in the following article concerning a different
vulnerability:

http://www.microsoft.com/technet/security/bulletin/MS02-015.asp

"The vulnerability would not enable the attacker to pass any parameters to
the program. Microsoft is not aware of any programs installed by default in
any version of Windows that, when called with no parameters, could be used
to compromise the system."

I could be wrong, but I would imagine this limitation would also apply to
this Notepad / Wordpad popup issue and prevent it from being anything more
than an annoyance... unless someone was able to, for example, use a
different vulnerability beforehand to inject a new version of notepad.exe,
sort of like the way the Mimail worm used the MS02-015 vulnerability above.


-----Original Message-----
From: Stephen Clowater [mailto:steve@...vesworld.hopto.org]
Sent: Friday, August 08, 2003 11:45 AM
To: Richard M. Smith; full-disclosure@...ts.netsys.com
Subject: [despammed] Re: [Full-Disclosure] Notepad popups in Internet
Explorer and Outlook


I've heard people discusses the possibilities of useing this to execute
arbitray code before, however, I've never managed to replicate anyones
findings on this yet, however there has been quite a bit of talk on other
lists in the past, and I've been asked by people to look into it but I cant
seem to find anything ethier

Supposivly you can use the same flaw to execute arbitrary code, however,
I've been unable to see it replicated yet, so I wouldnt put much stalk into
it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ