[25271] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)

daemon@ATHENA.MIT.EDU (3APA3A)
Fri Apr 26 01:38:10 2002

Date: Thu, 25 Apr 2002 12:51:44 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <146434456124.20020425125144@SECURITY.NNOV.RU>
To: "Menashe Eliezer" <menashe@finjan.com>
Cc: Bugtraq <bugtraq@securityfocus.com>, vuln-dev <vuln-dev@securityfocus.com>
In-Reply-To: <LCEKKNCFAOCLGCBMIOFBAEJOCAAA.menashe@finjan.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

Dear Menashe Eliezer,

Sorry  for  asking,  but  it's  unclear from advisory: is it possible to
access reports with either:

1. ActiveX element marked safe for scripting
2. Javascript or VBscript from "Internet" security zone

Examples  you give for scripting will only run in local host content, so
this  problem  seems to be local only (default permissions for sensitive
files)  with  minimal  impact,  because  analysis  of  security  policy,
registry  and  file  permissions can (mostly) be done by local user with
unprivileged account. In this case risk is low.

--Thursday, April 25, 2002, 5:06:32 AM, you wrote to bugtraq@securityfocus.com:

ME> Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)
ME> Finjan Software Security Advisory
ME> URL: http://www.finjan.com/mcrc/alert_show.cfm?attack_release_id=71
ME> April 24, 2002
ME> Risk: Medium
ME> -------------

-- 
~/ZARAZA
Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский)


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[25271] in bugtraq

Re: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)

daemon@ATHENA.MIT.EDU (3APA3A)Fri Apr 26 01:38:10 2002

daemon@ATHENA.MIT.EDU (3APA3A)
Fri Apr 26 01:38:10 2002