> I continue to believe all versions of IE 5.x are vulnerable. > A lot of people have missed the point of my advisory. > On 20 April 2001 Microsoft released Ver. 2.0 of their > security bulletin which seems to fix a bug but not this issue. > > To check whethere you are vulnerable to this issue: > 1. Disable Active Scripting for the Internet Zone (in case > www.guninski.com is in > the Internet Zone for you). > 2. Go to http://www.guninski.com/xstyle.eml or to > http://www.guninski.com/xstyle.xml > 3. If you see a message box "This is VBscript" then you are > vulnerable because this message is produced by active > scripting which is disabled in (1). > 4. Worse, this works from email at least in Outlook Express. I am afraid I must agree with Toni and contradict you. I followed the exact procedure you describe above, and my copy of IE 5.5 does NOT appear to be vulnerable. Instead of a message box, I get this in the browser window: ---------------------------------------------------------------------------- ---- Microsoft JScript runtime error Automation server can't create object line = 2, col = 0 (line is offset from the tag). Error returned from property or method call. The XML page cannot be displayed Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later. Microsoft JScript runtime error Automation server can't create object line = 2, col = 0 (line is offset from the tag). Error returned from property or method call. ---------------------------------------------------------------------------- ---- (That text appears inside an IFRAME for the .EML variation). I am running the following: NT 4.0 SP6a IE 5.5.4522.1800 Updates: SP1, Q279328, Q261255 (and maybe others but the about box truncates this list). WSCRIPT.EXE 5.1.0.4615 MSXML.DLL 8.00.5226.0 I have just about everything set to "Disabled" in my Internet zone. Let me know if you need other version or configuration information. ===================================== MY PHONE NUMBERS HAVE CHANGED! PLEASE MAKE NOTE OF THE NEW ONES BELOW. ===================================== Tim Farley Senior Researcher Internet Security Systems tfarleyat_private (404) 236-2600 / Direct Dial (404) 236-2873 / fax (404) 236-2624 http://www.iss.net Internet Security Systems - The Power to Protect =====================================
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 01:15:57 PDT