[20374] in bugtraq
Re: XML scripting in IE, Outlook Express
daemon@ATHENA.MIT.EDU (Toni Lassila)
Mon Apr 23 06:57:16 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
content-class: urn:content-classes:message
Message-ID: <6C60F1D0DCCC0F4FBDCA8F1668BE08AFCC4D@fp1.tekian.net>
Date: Mon, 23 Apr 2001 08:45:37 +0300
Reply-To: Toni Lassila <t.lassila@MC-EUROPE.COM>
From: Toni Lassila <t.lassila@MC-EUROPE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
> -----Original Message-----
> From: Georgi Guninski [mailto:guninski@GUNINSKI.COM]
> Sent: Friday, April 20, 2001 14:40
> Subject: XML scripting in IE, Outlook Express
[...]
> Background:
> We have some disagreement with Microsoft whether this works on fully
> patched IE 5.x.
> I believe I am running fully patched IE according to the rules for
> patching in
> Microsoft's security bulletins.
> The problem seems to be the version of WSH which is described in
> MS-01-015 at:
> http://www.microsoft.com/technet/security/bulletin/ms01-015.asp
> To check whether you are vulnerable check DEMONSTRATION.
Not vulnerable.:
Windows 2000 Professional SP1 (5.00.2195)
Internet Explorer 5.5 SP1 (5.50.4134.0600)
+ Q290108, Q279328
Windows Scripting Host 5.1
Outlook 2000 + Outlook Security Fix
MS XML Parser 3.0
OTOH, another computer IS vulnerable:
Windows 2000 Professional
Internet Explorer 5.01
Windows Scripting Host 5.1
Outlook 2000
MS XML Parser 3.0
> Workaround: I do not know of workaround but Microsoft claims updating
> WSH solves the issue.
This does not seem to be the case. Also noticed during testing that
after unsuccessfully visiting the demonstration page, IE/OL on occasion
jams for a few seconds.
