[20024] in bugtraq
MS patch Q292108 opens a vulnerability
daemon@ATHENA.MIT.EDU (JC (Kriptopolis))
Wed Apr 4 14:14:58 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <004701c0bd0b$19071b80$09001aac@LaHabana>
Date: Wed, 4 Apr 2001 15:28:10 +0200
Reply-To: "JC (Kriptopolis)" <cuartango@KRIPTOPOLIS.COM>
From: "JC (Kriptopolis)" <cuartango@KRIPTOPOLIS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Last MS patch Q290108 released with the bulletin MS01-020 opens a new
vulnerability.
A tricked EML file can confuse the user displaying him a fake downlodaded
file name. Executable files can be disguised as other supposedly inocent
files (text, sound or images).
Demo is available in :
http://www.kriptopolis.com/cua/20010404.html
The issue was reported to MS on 22 february and they argue : this is not a
vulnerability as far as It involves a use decision.
Jesus López de Aguileta has also posted the vulnerability to this list.
Juan Carlos G. Cuartango
