[26285] in bugtraq
RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8
daemon@ATHENA.MIT.EDU (GreyMagic Software)
Wed Jul 24 14:39:40 2002
From: "GreyMagic Software" <security@greymagic.com>
To: "Bugtraq" <bugtraq@securityfocus.com>,
"Andreas Sandblad" <sandblad@acc.umu.se>
Date: Wed, 24 Jul 2002 16:54:35 +0200
Message-ID: <LPBBLDGNEFOGMGAEHJPBKENFCOAA.security@greymagic.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-reply-to: <Pine.LNX.4.44.0207232147450.24633-100000@mao.acc.umu.se>
Microsoft and Andreas suggest the following workarounds:
>2. disable "allow paste operations via script" (best)
>3. disable active scripting
Using these workarounds is currently futile for users with Office installed.
The clipboard text can be set regardless of configuration as we've shown in
GM#007-IE, and disabling scripting can be easily circumvented as we've shown
in GM#005-IE.
These vulnerabilities have been disclosed 3.5 months ago and still haven't
been patched.
References:
http://sec.greymagic.com/adv/gm005-ie/
http://sec.greymagic.com/adv/gm007-ie/
But even without these workarounds the severity of this vulnerability is
low-medium at best since it requires a non-trivial user interaction.
- GMS
