Re: XML scripting in IE, Outlook Express

From: Georgi Guninski (guninskiat_private)
Date: Wed Apr 25 2001 - 07:08:26 PDT

Next message: Johnny Cyberpunk *: "Re. : x86 vulnerability"

Previous message: Nick FitzGerald: "Re: SECURITY.NNOV: The Bat! <cr> bug"
In reply to: Toni Lassila: "Re: XML scripting in IE, Outlook Express"
Next in thread: Ken Pfeil: "Re: XML scripting in IE, Outlook Express"
Next in thread: Leif Sawyer: "Re: XML scripting in IE, Outlook Express"
Reply: Ken Pfeil: "Re: XML scripting in IE, Outlook Express"
Reply: David LeBlanc: "Re: XML scripting in IE, Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Toni Lassila wrote:
>
> > -----Original Message-----
> > From: Georgi Guninski [mailto:guninskiat_private]
> > Sent: Friday, April 20, 2001 14:40
> > Subject: XML scripting in IE, Outlook Express
> [...]
> > Background:
> > We have some disagreement with Microsoft whether this works on fully
> > patched IE 5.x.
> > I believe I am running fully patched IE according to the rules for
> > patching in
> > Microsoft's security bulletins.
> > The problem seems to be the version of WSH which is described in
> > MS-01-015 at:
> > http://www.microsoft.com/technet/security/bulletin/ms01-015.asp
> > To check whether you are vulnerable check DEMONSTRATION.
>
> Not vulnerable.:
>
> Windows 2000 Professional SP1 (5.00.2195)
> Internet Explorer 5.5 SP1 (5.50.4134.0600)
> + Q290108, Q279328
> Windows Scripting Host 5.1
> Outlook 2000 + Outlook Security Fix
> MS XML Parser 3.0
>
> OTOH, another computer IS vulnerable:
>
> Windows 2000 Professional
> Internet Explorer 5.01
> Windows Scripting Host 5.1
> Outlook 2000
> MS XML Parser 3.0
>
> > Workaround: I do not know of workaround but Microsoft claims updating
> > WSH solves the issue.
>
> This does not seem to be the case. Also noticed during testing that
> after unsuccessfully visiting the demonstration page, IE/OL on occasion
> jams for a few seconds.

I continue to believe all versions of IE 5.x are vulnerable.
A lot of people have missed the point of my advisory.
On 20 April 2001 Microsoft released Ver. 2.0 of their security bulletin
which seems to fix
a bug but not this issue.

To check whethere you are vulnerable to this issue:
1. Disable Active Scripting for the Internet Zone (in case
www.guninski.com is in
the Internet Zone for you).
2. Go to http://www.guninski.com/xstyle.eml or to
http://www.guninski.com/xstyle.xml
3. If you see a message box "This is VBscript"  then you are vulnerable
because this
message is produced by active scripting which is disabled in (1).
4. Worse, this works from email at least in Outlook Express.

Georgi Guninski

Next message: Johnny Cyberpunk *: "Re. : x86 vulnerability"
Previous message: Nick FitzGerald: "Re: SECURITY.NNOV: The Bat! <cr> bug"
In reply to: Toni Lassila: "Re: XML scripting in IE, Outlook Express"
Next in thread: Ken Pfeil: "Re: XML scripting in IE, Outlook Express"
Next in thread: Leif Sawyer: "Re: XML scripting in IE, Outlook Express"
Reply: Ken Pfeil: "Re: XML scripting in IE, Outlook Express"
Reply: David LeBlanc: "Re: XML scripting in IE, Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 09:39:39 PDT