lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <42C428FC.3030208@moritz-naumann.com>
Date: Thu Jun 30 18:45:56 2005
From: info at moritz-naumann.com (Moritz Naumann)
Subject: SEC-CONSULT SA-20050629-0

> vulnerable versions:
> ---------------
> 
> javaprxy.dll 5.00.3810
> internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
> 
> these are the versions tested, other versions may of course be vulnerable.

This is quite interesting.

javaprxy.dll, aka 'Interface Proxy for Java' is/was part of the Virtual
Machine for Java which M$ may no longer distribute. Its version number
indicates that it was initially made for IE 5.x.

You can download an archived distribution of the Virtual Machine for
Internet Explorer at
http://web.archive.org/web/20020201205255/http://www.microsoft.com/java/vm/dl_vm40.htm

The file itself is here:
http://web.archive.org/web/20020201205255/http://download.microsoft.com/download/vm/Install/3802/W9X2KMe/EN-US/msjavx86.exe

This package, entitled "Microsoft VM build 3802 for Windows 95/98,
Windows Me, Windows NT 4.0 and Windows XP", will, once extracted to the
TEMP folder, reveal the "javaprxy.dll" file, version 5.00.3802.

I don't know much about the contract M$ and Sun have, but it seems to me
like M$ forgot to remove this file off the hard disks of people who have
upgraded their I8N'd versions of Internet Explorer from v5.x to 6.x (or
just v6 SP 0/1 to v6 SP 1/2).

Just my five cents,
Moritz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ