| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: se_cur_ity at hotmail.com (morning_wood) Subject: Official IFRAME patch - make sure it installs correctly I can confirm on WinXP SP1 ( download the [patch].exe run and reboot) Mr Wever's exploit PoC did not run ( no shell, dialog warning ) cheers, m.w > > The IFRAME vulnerability has been patched, see http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx > > The wording in ms04-040 is so vague, I am not entirely sure that this > patch is a fix for the IFRAME bug(s)? > > > *** Make sure you are patched after installing *** > > I installed it using "Automatic Updates" (on Win2ksp4), rebooted and loaded my InternetExploiter.html: IT STILL WORKED!! > > Even though both "Automatic Updates" and "http://windowsupdate.microsoft.com" reported that I was patched!?! > > I manually downloaded the exe and ran it, rebooted and now I'm finally truely patched. > > Just so I am clear, after automatic updates applied the "critical > patch" on W2KSP4 and rebooted, the IFRAME exploit still worked, but > manually downloading the executable given in the Microsoft alert and > running it results in a system on which the IFRAME exploit no longer > works? > > This would be confirmation that ms04-040 actually does address the > IFRAME exploit. > > > Kevin > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists