[22001] in bugtraq
RE: TXT or HTML? -- IE NEW BUG
daemon@ATHENA.MIT.EDU (Rebecca Kastl)
Mon Jul 30 02:40:07 2001
Date: Mon, 30 Jul 2001 01:10:40 -0500 (CDT)
From: Rebecca Kastl <rkastl@neohapsis.com>
To: Microsoft Security Response Center <secure@microsoft.com>
Cc: cr4zybird <cr4zybird@hotmail.com>, <bugtraq@securityfocus.com>
In-Reply-To: <C10F7F33B880B248BCC47DB446738847038F968B@red-msg-07.redmond.corp.microsoft.com>
Message-ID: <Pine.LNX.4.33.0107292336250.19835-100000@7of9.neohapsis.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Microsoft's response is valid in many respects, but they do fail to address
one specific issue.
Some corporate security policies (such as firewall rules, content filters,
AUP, SecPol, etc.) expressly prohibit such things as ActiveX, Javascript, and
more. Specifically, a Fortune 50 company I recently worked for has such a
policy. By embedding jscript code in a *.jpg file, such policies and
procedures are circumvented, and MS has helped the "evil hacker" attack
another victim because they have so far refused to address the real issue --
ignoring MIME type definitions.
--Rebecca Kastl
On Sun, 29 Jul 2001, Microsoft Security Response Center wrote:
> * If script were included within a .txt, .jpg or other file and
> hosted on a web site, it could be opened automatically by a page on the
> site. However, the script would run in the web page's domain, so it
> would be subject to all the same limitations as script on the page
> itself. That is, embedding the script within the file wouldn't gain the
> attacker any capabilities.
>
> Scott Culp
> Security Program Manager
> Microsoft Security Response Center
