Re: XML scripting in IE, Outlook Express

From: Farley, Tim (ISSAtlanta) (TFarleyat_private)
Date: Wed Apr 25 2001 - 10:07:48 PDT

Next message: Linux Mandrake Security Team: "MDKSA-2001:042 - nedit update"

Previous message: Francis Favorini: "Re: XML scripting in IE, Outlook Express"
Maybe in reply to: Georgi Guninski: "XML scripting in IE, Outlook Express"
Next in thread: http-equivat_private: "Re: XML scripting in IE, Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I continue to believe all versions of IE 5.x are vulnerable.
> A lot of people have missed the point of my advisory.
> On 20 April 2001 Microsoft released Ver. 2.0 of their
> security bulletin which seems to fix a bug but not this issue.
>
> To check whethere you are vulnerable to this issue:
> 1. Disable Active Scripting for the Internet Zone (in case
> www.guninski.com is in
> the Internet Zone for you).
> 2. Go to http://www.guninski.com/xstyle.eml or to
> http://www.guninski.com/xstyle.xml
> 3. If you see a message box "This is VBscript"  then you are
> vulnerable because this message is produced by active
> scripting which is disabled in (1).
> 4. Worse, this works from email at least in Outlook Express.

I am afraid I must agree with Toni and contradict you.

I followed the exact procedure you describe above, and my copy of IE 5.5
does NOT appear to be vulnerable.  Instead of a message box, I get this in
the browser window:

----------------------------------------------------------------------------
----
Microsoft JScript runtime error Automation server can't create object line =
2, col = 0 (line is offset from the tag). Error returned from property or
method call. The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the error and
then click the Refresh button, or try again later.
Microsoft JScript runtime error Automation server can't create object line =
2, col = 0 (line is offset from the tag). Error returned from property or
method call.
----------------------------------------------------------------------------
----

(That text appears inside an IFRAME for the .EML variation).

I am running the following:

NT 4.0 SP6a
IE 5.5.4522.1800
Updates: SP1, Q279328, Q261255 (and maybe others but the about box truncates
this list).
WSCRIPT.EXE 5.1.0.4615
MSXML.DLL 8.00.5226.0

I have just about everything set to "Disabled" in my Internet zone.

Let me know if you need other version or configuration information.

=====================================
MY PHONE NUMBERS HAVE CHANGED!  PLEASE MAKE NOTE OF THE NEW ONES BELOW.
=====================================
Tim Farley
Senior Researcher
Internet Security Systems

tfarleyat_private
(404) 236-2600 / Direct Dial (404) 236-2873 / fax (404) 236-2624
http://www.iss.net

Internet Security Systems - The Power to Protect
=====================================

Next message: Linux Mandrake Security Team: "MDKSA-2001:042 - nedit update"
Previous message: Francis Favorini: "Re: XML scripting in IE, Outlook Express"
Maybe in reply to: Georgi Guninski: "XML scripting in IE, Outlook Express"
Next in thread: http-equivat_private: "Re: XML scripting in IE, Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 01:15:57 PDT