[Full-Disclosure] MS02-065 vulnerability

From: Paul Szabo (pszat_private)
Date: Fri Nov 22 2002 - 02:36:50 PST

Next message: Mandrake Linux Security Team: "Updated ypserv packages fix memory leak"

Previous message: One Semicolon: "Multiple incorrect permissions in QNX."
Next in thread: HggdH: "Re: [Full-Disclosure] MS02-065 vulnerability"
Reply: HggdH: "Re: [Full-Disclosure] MS02-065 vulnerability"
Reply: Paul Szabo: "Re: [Full-Disclosure] MS02-065 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft security bulletin
  http://www.microsoft.com/technet/security/bulletin/ms02-065.asp
contains the caveat "a patched system could be made vulnerable again [by]
visit a web site or open an HTML mail". We have a execute-any-code
vulnerability, exploitable by a Web page or email; the patch can be undone
by a Web page or email. Just as exploitable after the patch.

Is this what Microsoft calls "responsible disclosure"?

Cheers,

Paul Szabo - pszat_private  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


PS: The above applies to IE only; I know that the patch is needed also for
IIS and maybe others. Do not let details get in the way of a good story.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Mandrake Linux Security Team: "Updated ypserv packages fix memory leak"
Previous message: One Semicolon: "Multiple incorrect permissions in QNX."
Next in thread: HggdH: "Re: [Full-Disclosure] MS02-065 vulnerability"
Reply: HggdH: "Re: [Full-Disclosure] MS02-065 vulnerability"
Reply: Paul Szabo: "Re: [Full-Disclosure] MS02-065 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 02:56:23 PST