(replying to two postings in one reply)

Quoting Stephen Cope <mail (at) nonsense.kimihia.org (dot) nz [email concealed]>:
>
> This has been its /modus operandi/ for over four years:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;239750
>
> Microsoft Knowledge Base Article - 239750
> "Text/Plain" Content-Type Header Field Is Ignored
>

That article is at best out of date. It doesn't list any products past NT4 or
IE5, when in fact everything after NT4 and IE5 is still vulnerable, including a
fully patched XP and IE6.

I tested the registry entry mentioned in that article and it has no effect on
XP/IE6. I'm not convinced they are even trying to address the same issue with
that particular 'fix'.

I've put up a page at the following URL you can use to test your browser:

http://www.geekgang.co.uk/test/ietest.php

On Mon, 2003-07-28 at 09:00, Fabio Pietrosanti (naif) wrote:
> MIME Type Detection in Internet Explorer explained here:
>
> http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
a.asp
>

Yes, it is explained there, but that doesn't excuse MS refusing to fix this
security hole. They should at a minimum ship their OS's in a secure state - and
at the very very least provide an option for turning this off.

As noted above, this has been known for four years - so much for the MS Secure
Computing Initative - it's laughable.

cheers,
pre.

[ reply ]