This email does the following: 1. Reports two more cases 2. States my official position 3. Answer some concerns I received in private correspondence 1. Two other reported cases. NOTE: I did not test these cases. The odd gaim case (which I asked for more details...) ===== Case One ===== Hello, i have tested it and it seems to work. however i would also like to point out that i linked my friend who was on Freebsd 4.6 and it crashed his Gaim session. I then tested it on my bsd4.5 and it did the same ==================== ===== Case Two ===== Note that the above crashes everything that uses IE, including Visual Studio.NET, Frontpage, Outlook/Express, etc. ==================== 2. My official position: I tend to agree with Microsoft, actually. My reason for posting was simple: some people may have a wider scope of a DoS attack then the definitions laid out by Microsoft. Also, it seems that the ease of inserting this code somewhere makes it a nuisance. Please note that I mentioned in my original post that this would be more of an inconvience than a vulnerability that would cause damage of some type. 3. Answer to some concerns... For those worried that Microsoft will sit on this problem, MS told me that this would be submitted as a bug report to the proper department. To those with limited XSS imagination: what about an ecommerce site with a bulletin board or some type of posting mechanism (eBay)? To the individual who thought I claimed this was worthy of a hotfix: re-read my post, study your security and please read *carefully* **before** sending me an email. Until we meet again... Yours, 'ken'@FTU -- "I grew convinced that truth, sincerity and integrity in dealings between man and man were of the utmost importance to the felicity of life, and I formed a written resolution to practice them ever while I lived." -Benjamin Franklin, The Autobiography of Benjamin Franklin
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 15:40:56 PDT