[19970] in bugtraq
Re: Microsoft Security Bulletin MS01-020
daemon@ATHENA.MIT.EDU (Brett Glass)
Sat Mar 31 20:41:18 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <4.3.2.7.2.20010330114420.0486eb80@localhost>
Date: Fri, 30 Mar 2001 11:46:33 -0700
Reply-To: Brett Glass <brett@LARIAT.ORG>
From: Brett Glass <brett@LARIAT.ORG>
X-To: Microsoft Product Security <secnotif@MICROSOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C10F7F33B880B248BCC47DB446738847445E97@red-msg-07.redmond.
corp.microsoft.com>
Does anyone know which MIME types will be executed automatically?
Microsoft is conspicuously silent on this, perhaps in an attempt
to discourage exploits. But failure to disclose the MIME types
affected also prevents administrators from filtering e-mail
attachments of those types -- which I'd like to do, since
Microsoft's patches (by its own admission) do not solve the
entire problem.
--Brett Glass
At 08:00 PM 3/29/2001, Microsoft Product Security wrote:
>The following is a Security Bulletin from the Microsoft Product Security
>Notification Service.
>
>Please do not reply to this message, as it was sent from an unattended
>mailbox.
> ********************************
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>- ----------------------------------------------------------------------
>Title: Incorrect MIME Header Can Cause IE to Execute E-mail
> Attachment
>Date: 29 March 2001
>Software: Microsoft Internet Explorer
>Impact: Run code of attacker's choice.
>Bulletin: MS01-020
>
>Microsoft encourages customers to review the Security Bulletin
>at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
>- ----------------------------------------------------------------------
