>In MS02-066 Microsoft claim they've fixed several Cross Domain >Verification problems. Unfortunately, they are not really clear on >which vulnerabilities they fix. Fixed by MS02-066: - javascript: URLs in sub-frames (Who framed). - IFrame's "Document" property (D-Day). - showModalDialog caching. - createRange caching (partial). - elementFromPoint caching. - getElementById caching. - getElementsByName caching. - getElementsByTagName caching. - execCommand caching. - location.assign caching. - location.replace caching. - document.write caching. - %2F URL encoding. Not fixed: - external caching. - clipboardData caching. - Many older ones. Incorrect statements: Microsoft is down-playing the impact of the vulnerabilities they talk about in MS02-066. "The vulnerabilities would only allow an attacker to read files on the user’ s local system that can be rendered in a browser window, such as image files, HTML files and text files." This is incorrect, the vulnerabilities would allow an attacker to read any type of file, regardless of whether it can be rendered in the browser or not, by using the XMLHTTP object. Then they go on to say: "The vulnerabilities would not provide any way for an attacker to put a program of their choice onto another user’s system." "An attacker would need to know the name and location of any file on the system to successfully invoke it. " "The vulnerabilities could only be used to view or invoke local executables. It could not be used to create, delete, or modify arbitrary or malicious files." All of these 3 statements are incorrect. Using the HTML Help control, it is possible to execute arbitrary commands as demonstrated by Andreas Sandblad at http://online.securityfocus.com/archive/1/298748. This includes the execution of arbitrary WSH script, which is able to perform all of the actions outlined as impossible above. We reported these problems to Microsoft and a new revision of the bulletin should be released soon.
