| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3E71BE64C6ECD8449CD5A236F700FA968199BD@odcexch.wei.owhc.net> From: mbassett at omaha.com (Bassett, Mark) Subject: FW: [Fwd: Re: AIM Password theft] -----Original Message----- From: Thor Larholm Sent: Tuesday, September 23, 2003 2:06 PM Subject: RE: [Fwd: Re: AIM Password theft] This is just a simple exploit utilizing the Object Data vulnerability discovered by Drew Copley, coupled with the GreyMagic no-script HTML rendering as demonstrated earlier on this list and others by jelmer. Tell your user to go install MS03-032, which he obviously did not do as MS03-032 patches this vulnerability. MS03-032 was released on August 20 and you can find it at http://www.microsoft.com/technet/security/bulletin/MS03-032.asp -------------------------- Actually the MS03-032 patch doesn't stop the object data vulnerability. Check it here... http://www.secunia.com/MS03-032/ I am patched with MS03-032 ( Q822925 ) but am still vulnerable. Possibly the particular version at haxr.org is the exploit that the patch fixes but if it is, it could easily be modified to the vuln that still works. Only way to really stop it is kill your activex scripting for untrusted sites.
Powered by blists - more mailing lists