[20483] in bugtraq
Re: XML scripting in IE, Outlook Express
daemon@ATHENA.MIT.EDU (Rick Updegrove)
Fri Apr 27 04:19:47 2001
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <20010427030114.14797.qmail@updegrove.net>
Date: Fri, 27 Apr 2001 03:01:14 GMT
Reply-To: Rick Updegrove <dislists@UPDEGROVE.NET>
From: Rick Updegrove <dislists@UPDEGROVE.NET>
X-To: Ken@infosec101.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <EKEIJMECHELIFJCAOFHGIEDIDAAA.Ken@infosec101.org>
Ken Pfeil writes:
> Updating WSH DOES resolve this issue.
> Patching/upgrading the browser had no effect.
I apologize in advance for my ignorance, but what is WSH?
NOTE* I modified the original .xml and .xls files used in the original post
and sent them to my brother, and my best friend who are both NT admins with
large userbases, all using outlook express or outlook. I warned them ahead
of time and explained they should first disable scripting and set their
security levels to high, and I forwarded the original post. They both
assured me that was not going to be an issue. They were flabbergasted when
they realized that they were both vulnerable. I have only had one person
claim he was not (and I really don't believe him because he tends to be
extremely paranoid and would not admit to anything anyway)
By the way I did fire up OE myself and I was also vulnerable.
(Windows2000PRO 5.00.2195 SP1 / IE 5.5.4133.2400)
Rick Up
