> From: Georgi Guninski > Toni Lassila wrote: > > > Workaround: I do not know of workaround but Microsoft > claims updating > > > WSH solves the issue. > I continue to believe all versions of IE 5.x are vulnerable. > A lot of people have missed the point of my advisory. > On 20 April 2001 Microsoft released Ver. 2.0 of their > security bulletin > which seems to fix > a bug but not this issue. You're wrong. I put your site in the restricted sites zone, which is where I run my e-mail, and which is default for Outlook 2000 + security patch or Office XP. Instead of having your demo pop up, I got: Microsoft JScript runtime error Automation server can't create object line = 2, col = 0 (line is offset from the tag). Error returned from property or method call. The XML page cannot be displayed. I am running Win2k SP1 + IE 5.5 + the updated WSH. I suppose it would be best to thoroughly test things instead of supposing that this, that or the other version is vulnerable. I also suppose that working with the vendor will help clarify the details of whether something is or is not a problem under a given set of conditions, and further suppose that these details being available and accurate might help people to respond in an appropriate manner. Of course, that's supposing that one's objective is to help people be more secure. I suppose that if someone had some other objective, then they might behave differently. Of course, supposing that the original poster does not take the time to test thoroughly and preset accurate information that the astute denizens of this list will certainly get to the bottom of the problem eventually.
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 10:17:19 PDT