Toni Lassila wrote: > > > -----Original Message----- > > From: Georgi Guninski [mailto:guninskiat_private] > > Sent: Friday, April 20, 2001 14:40 > > Subject: XML scripting in IE, Outlook Express > [...] > > Background: > > We have some disagreement with Microsoft whether this works on fully > > patched IE 5.x. > > I believe I am running fully patched IE according to the rules for > > patching in > > Microsoft's security bulletins. > > The problem seems to be the version of WSH which is described in > > MS-01-015 at: > > http://www.microsoft.com/technet/security/bulletin/ms01-015.asp > > To check whether you are vulnerable check DEMONSTRATION. > > Not vulnerable.: > > Windows 2000 Professional SP1 (5.00.2195) > Internet Explorer 5.5 SP1 (5.50.4134.0600) > + Q290108, Q279328 > Windows Scripting Host 5.1 > Outlook 2000 + Outlook Security Fix > MS XML Parser 3.0 > > OTOH, another computer IS vulnerable: > > Windows 2000 Professional > Internet Explorer 5.01 > Windows Scripting Host 5.1 > Outlook 2000 > MS XML Parser 3.0 > > > Workaround: I do not know of workaround but Microsoft claims updating > > WSH solves the issue. > > This does not seem to be the case. Also noticed during testing that > after unsuccessfully visiting the demonstration page, IE/OL on occasion > jams for a few seconds. I continue to believe all versions of IE 5.x are vulnerable. A lot of people have missed the point of my advisory. On 20 April 2001 Microsoft released Ver. 2.0 of their security bulletin which seems to fix a bug but not this issue. To check whethere you are vulnerable to this issue: 1. Disable Active Scripting for the Internet Zone (in case www.guninski.com is in the Internet Zone for you). 2. Go to http://www.guninski.com/xstyle.eml or to http://www.guninski.com/xstyle.xml 3. If you see a message box "This is VBscript" then you are vulnerable because this message is produced by active scripting which is disabled in (1). 4. Worse, this works from email at least in Outlook Express. Georgi Guninski
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 09:39:39 PDT