[31759] in bugtraq
RE: [Fwd: Re: AIM Password theft] VU#865940
daemon@ATHENA.MIT.EDU (Thor Larholm)
Wed Sep 24 18:23:16 2003
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Date: Wed, 24 Sep 2003 13:20:57 -0700
content-class: urn:content-classes:message
Message-ID: <8B32EDC90D8F4E4AB40918883281874D03EC2B@pivxwin2k1.secnet.pivx.com>
From: "Thor Larholm" <thor@pivx.com>
To: "CERT(R) Coordination Center" <cert@cert.org>
Cc: "CERT(R) Coordination Center" <cert@cert.org>,
"Mark Coleman" <markc@uniontown.com>, <bugtraq@securityfocus.org>
Content-Transfer-Encoding: 8bit
Art,
You are correct, I should not have replied to Mark when I had not yet had my morning coffee. The dynamic rendering of OBJECT elements still trigger the HTA functionality exposed in Windows. Personally, though, I see this as an unrelated vulnerability regarding static/dynamic code rendering which has a greater impact than just allowing HTA code to execute.
Both GM#001 and thePulls POC, which malware cites, are one and the same issue instead of two separate, they both trigger the dynamic rendering of HTML instead of the static - GM#001 just does this without requiring scripting.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities
-----Original Message-----
From: CERT(R) Coordination Center [mailto:cert@cert.org]
Sent: Wed 9/24/2003 11:35 AM
To: Thor Larholm
Cc: CERT(R) Coordination Center; Mark Coleman; bugtraq@securityfocus.org
Subject: RE: [Fwd: Re: AIM Password theft] VU#865940
At the present, the patch for MS03-032 breaks one of at least three
exploit techniques. The patch does not resolve the vulnerability.
MS03-032 acknowledges this. I have seen several examples of this
vulnerability being exploited in the wild.
In particular, the current MS03-32 patch doesn't account for an HTML
document created via XML/data binding:
<http://greymagic.com/adv/gm001-ie/>
The patch also does not account for an HTML document created via
script:
<http://www.securityfocus.com/archive/1/336616>
Art Manion -- CERT Coordination Center
