(replying to two postings in one reply) Quoting Stephen Cope <mail@nonsense.kimihia.org.nz>: > > This has been its /modus operandi/ for over four years: > http://support.microsoft.com/default.aspx?scid=kb;en-us;239750 > > Microsoft Knowledge Base Article - 239750 > "Text/Plain" Content-Type Header Field Is Ignored > That article is at best out of date. It doesn't list any products past NT4 or IE5, when in fact everything after NT4 and IE5 is still vulnerable, including a fully patched XP and IE6. I tested the registry entry mentioned in that article and it has no effect on XP/IE6. I'm not convinced they are even trying to address the same issue with that particular 'fix'. I've put up a page at the following URL you can use to test your browser: http://www.geekgang.co.uk/test/ietest.php On Mon, 2003-07-28 at 09:00, Fabio Pietrosanti (naif) wrote: > MIME Type Detection in Internet Explorer explained here: > > http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp > Yes, it is explained there, but that doesn't excuse MS refusing to fix this security hole. They should at a minimum ship their OS's in a secure state - and at the very very least provide an option for turning this off. As noted above, this has been known for four years - so much for the MS Secure Computing Initative - it's laughable. cheers, pre.
