> From: Georgi Guninski writes: > > I continue to believe all versions of IE 5.x are vulnerable. > A lot of people have missed the point of my advisory. > On 20 April 2001 Microsoft released Ver. 2.0 of their > security bulletin which seems to fix a bug but not this issue. > > To check whethere you are vulnerable to this issue: > 1. Disable Active Scripting for the Internet Zone (in case > www.guninski.com is in the Internet Zone for you). > 2. Go to http://www.guninski.com/xstyle.eml or to > http://www.guninski.com/xstyle.xml > 3. If you see a message box "This is VBscript" then you are > vulnerable because this message is produced by active scripting > which is disabled in (1). > 4. Worse, this works from email at least in Outlook Express. > Internet->Options->Security->Internet Zone set to medium-low, then customized all scripting to "prompt" Windows 2K SP1 I.E. 6.00.2462.0000 128bit beta preview Prompts to enable scripting before loading the page, as well as prompting for enabling any active scripting. Clicking *no* on any of these causes the page to error out: The XML page cannot be displayed Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later. ---------------------------------------------------------------------------- ---- Unspecified error And if I say yes to the first prompt, i get additional prompts when the IFRAME is loaded in the xstyle.eml page. So it looks like M$ is getting closer to being able to control the problem. The only disadvantage is that I don't get a chance to see anything on the page (with scripts disabled) Of course, I can always say 'yes'...
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 21:42:59 PDT