[25269] in bugtraq
Re: Microsoft Baseline Security Analyzer exploit (Exposed
daemon@ATHENA.MIT.EDU (Deus, Attonbitus)
Fri Apr 26 01:27:59 2002
Message-Id: <5.1.0.14.2.20020425082052.033110a0@mail.hammerofgod.com>
Date: Thu, 25 Apr 2002 08:32:34 -0700
To: 3APA3A <3APA3A@SECURITY.NNOV.RU>, "Menashe Eliezer" <menashe@finjan.com>
From: "Deus, Attonbitus" <Thor@HammerofGod.com>
Cc: Bugtraq <bugtraq@securityfocus.com>, vuln-dev <vuln-dev@securityfocus.com>
In-Reply-To: <146434456124.20020425125144@SECURITY.NNOV.RU>
Mime-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 01:51 AM 4/25/2002, 3APA3A wrote:
>Dear Menashe Eliezer,
>
>Sorry for asking, but it's unclear from advisory: is it possible to
>access reports with either:
>
>1. ActiveX element marked safe for scripting
>2. Javascript or VBscript from "Internet" security zone
Not only would the "active content" object have to meet those criteria, but
the script would also have to be able to discern the currently logged on
user in order to see where to look in the "Documents and Settings"
tree. So, now it boils down to opening an attachment or running a trojan
or blah, blah, blah.
Microsoft's response hit the bulls-eye for this non-existent "exploit."
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPMghkohsmyD15h5gEQIS8QCeP7KGUXpBaoIjSANa+rlv+GsJg/0AoIxy
W12BsxCwT3/WeJgv7ZiT5Xt2
=0STl
-----END PGP SIGNATURE-----
