Back to list
IE 6 XML Patch Bypass
Oct 07 2003 02:11PM
Mindwarper * (mindwarper linuxmail org)
RE: IE 6 XML Patch Bypass
Oct 08 2003 04:46PM
GreyMagic Software (security greymagic com)
>seems that even with the new Microsoft patch applied, the
There is no reason for it not to work. MS03-040 doesn't claim to offer a
patch to the variation of the application/hta content-type header in object
elements, publicly disclosed by http-equiv.
This could have been easily determined by reading the bulletin properly.
>I have recently been playing around with the xml+windows media
This is NOT a vulnerability in WMP or MSXML, they are simply used as tools
in this attack.
MSXML is used here to create and pass along a SAFEARRAY and WMP is used to
run an executable once its protocol handler has been replaced by the real
vulnerability used here. That vulnerability is Jelmer's ADODB.Stream
vulnerability, in conjunction with another vulnerability to allow a "res://"
URL to open (also by Jelmer).
[ reply ]
Copyright 2010, SecurityFocus