Any Microsoft advocates wish to confirm (or deny) this?

Any Microsoft advocates wish to confirm (or deny) this?

Post by David Mohri » Wed, 03 Apr 2002 15:35:12



"MS security patch fails to work"
http://www.theregus.com/content/4/24500.html
OR
http://www.theregister.co.uk/content/4/24667.html
+The MS patch intended to fix a data binding flaw in IE which
+enables a script to call executables on your Windows machine does
+not work.

David Mohring - "No wonder MS flacks work so hard to inhibit the
                 publication of such dangerous code", sums up
                 the reason for Microsoft's Anti-Linux propaganda
                 as well.

 
 
 

Any Microsoft advocates wish to confirm (or deny) this?

Post by Stuart F » Wed, 03 Apr 2002 22:37:43



> "MS security patch fails to work"
> http://www.theregus.com/content/4/24500.html
> OR
> http://www.theregister.co.uk/content/4/24667.html
> +The MS patch intended to fix a data binding flaw in IE which
> +enables a script to call executables on your Windows machine does
> +not work.

I can confirm that the bug is not exploitable remotely (i.e. from a
web page), but it is exploitable if I copy the code to an html file
hosted on my local machine.  As the researchers themselves say, it's
just a matter of setting the correct security in the local computer
zone: http://security.greymagic.com/adv/gm001-ie/

Cheers

Stu

 
 
 

Any Microsoft advocates wish to confirm (or deny) this?

Post by Bob Hauc » Thu, 04 Apr 2002 12:28:38



Quote:> I can confirm that the bug is not exploitable remotely (i.e. from a
> web page), but it is exploitable if I copy the code to an html file
> hosted on my local machine.

What about stuff in the browser cache?

--
 -| Bob Hauck
 -| To Whom You Are Speaking
 -| http://www.haucks.org/

 
 
 

Any Microsoft advocates wish to confirm (or deny) this?

Post by freefa » Thu, 04 Apr 2002 16:25:45





>> I can confirm that the bug is not exploitable remotely (i.e. from a
>> web page), but it is exploitable if I copy the code to an html file
>> hosted on my local machine.

>What about stuff in the browser cache?

A warning message is issued if you attempt to open files from the
browser cache.
 
 
 

1. Microsoft confirms that they provide funding to the Alexis de Tocqueville Institution

http://www.wired.com/news/linux/0,1411,52973,00.html

   A Microsoft spokesman confirmed that Microsoft provides funding to the
   Alexis de Tocqueville Institution.

   We support a diverse array of public policy organizations with which we
   share a common interest or public policy agenda such as the de
   Tocqueville Institution," the spokesman wrote in an e-mail.

   Microsoft did not respond to requests for comment on whether the
   company directly sponsored the debate paper. De Tocqueville Institute
   president Ken Brown and chairman Gregory Fossedal refused to comment on
   whether Microsoft sponsored the report.

   "It is not our policy to comment on supporters; I'm sure you can
   understand. From this you should not infer that information you have is
   correct or not correct; we just don't comment," Fossedal wrote in an
   e-mail.

Regards,
Adam

2. How to get process info via an API??

3. The day Erik Funkenbusch became a Microsoft advocate

4. Veratis VxFS

5. Contest for LoseDoze Advocates--$20, must be verifiable M$ Advocate by DejaNews archives

6. sendmail and large passwd files

7. Microsoft Appropriates Advocate's Initials

8. Signal 11 error

9. Linux Advocates == Unix Advocates

10. No wonder Microsoft's advocates are confused...

11. A challenge to Microsoft advocates.

12. Outstanding questions for Erik and other Microsoft advocates

13. Real Advocates (was Re: Fake Advocates?)