<<< Date Index >>>     <<< Thread Index >>>

RE: [Fwd: Re: AIM Password theft] VU#865940



Art,
 
You are correct, I should not have replied to Mark when I had not yet had my 
morning coffee. The dynamic rendering of OBJECT elements still trigger the HTA 
functionality exposed in Windows. Personally, though, I see this as an 
unrelated vulnerability regarding static/dynamic code rendering which has a 
greater impact than just allowing HTA code to execute.
 
Both GM#001 and thePulls POC, which malware cites, are one and the same issue 
instead of two separate, they both trigger the dynamic rendering of HTML 
instead of the static - GM#001 just does this without requiring scripting.
 
 
 
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities
 
 
 

        -----Original Message----- 
        From: CERT(R) Coordination Center [mailto:cert@xxxxxxxx] 
        Sent: Wed 9/24/2003 11:35 AM 
        To: Thor Larholm 
        Cc: CERT(R) Coordination Center; Mark Coleman; 
bugtraq@xxxxxxxxxxxxxxxxx 
        Subject: RE: [Fwd: Re: AIM Password theft] VU#865940
        

        At the present, the patch for MS03-032 breaks one of at least three
        exploit techniques.  The patch does not resolve the vulnerability.
        MS03-032 acknowledges this.  I have seen several examples of this
        vulnerability being exploited in the wild.
        In particular, the current MS03-32 patch doesn't account for an HTML
        document created via XML/data binding:
        
          <http://greymagic.com/adv/gm001-ie/>
        
        The patch also does not account for an HTML document created via
        script:
        
          <http://www.securityfocus.com/archive/1/336616>
        
                     Art Manion  --  CERT Coordination Center