Art,

You are correct, I should not have replied to Mark when I had not yet had my morning coffee. The dynamic rendering of OBJECT elements still trigger the HTA functionality exposed in Windows. Personally, though, I see this as an unrelated vulnerability regarding static/dynamic code rendering which has a greater impact than just allowing HTA code to execute.

Both GM#001 and thePulls POC, which malware cites, are one and the same issue instead of two separate, they both trigger the dynamic rendering of HTML instead of the static - GM#001 just does this without requiring scripting.

Regards

Thor Larholm

PivX Solutions, LLC - Senior Security Researcher

http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities

-----Original Message-----

From: CERT(R) Coordination Center [mailto:cert (at) cert (dot) org [email concealed]]

Sent: Wed 9/24/2003 11:35 AM

To: Thor Larholm

Cc: CERT(R) Coordination Center; Mark Coleman; bugtraq (at) securityfocus (dot) org [email concealed]

Subject: RE: [Fwd: Re: AIM Password theft] VU#865940

At the present, the patch for MS03-032 breaks one of at least three

exploit techniques. The patch does not resolve the vulnerability.

MS03-032 acknowledges this. I have seen several examples of this

vulnerability being exploited in the wild.

In particular, the current MS03-32 patch doesn't account for an HTML

document created via XML/data binding:

<http://greymagic.com/adv/gm001-ie/>

The patch also does not account for an HTML document created via

script:

<http://www.securityfocus.com/archive/1/336616>

Art Manion -- CERT Coordination Center

[ reply ]