Microsoft's response is valid in many respects, but they do fail to address one specific issue. Some corporate security policies (such as firewall rules, content filters, AUP, SecPol, etc.) expressly prohibit such things as ActiveX, Javascript, and more. Specifically, a Fortune 50 company I recently worked for has such a policy. By embedding jscript code in a *.jpg file, such policies and procedures are circumvented, and MS has helped the "evil hacker" attack another victim because they have so far refused to address the real issue -- ignoring MIME type definitions. --Rebecca Kastl On Sun, 29 Jul 2001, Microsoft Security Response Center wrote: > * If script were included within a .txt, .jpg or other file and > hosted on a web site, it could be opened automatically by a page on the > site. However, the script would run in the web page's domain, so it > would be subject to all the same limitations as script on the page > itself. That is, embedding the script within the file wouldn't gain the > attacker any capabilities. > > Scott Culp > Security Program Manager > Microsoft Security Response Center
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 23:24:23 PDT