Microsoft security bulletin http://www.microsoft.com/technet/security/bulletin/ms02-065.asp contains the caveat "a patched system could be made vulnerable again [by] visit a web site or open an HTML mail". We have a execute-any-code vulnerability, exploitable by a Web page or email; the patch can be undone by a Web page or email. Just as exploitable after the patch. Is this what Microsoft calls "responsible disclosure"? Cheers, Paul Szabo - pszat_private http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia PS: The above applies to IE only; I know that the patch is needed also for IIS and maybe others. Do not let details get in the way of a good story. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 02:56:23 PST