> -----Original Message----- > From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx] The codeBase attribute has allowed command execution from the My Computer zone without interruption since this misfeature was discovered by Dildog. It was not automatically re-enabled with yesterdays patches so there must have been some other problem with your systems that has made it untestable for you during the years. If you need any easily reproduceable POC for codeBase you can use the example from GM#001-IE [1]. Put a fresh Windows XP image on VMWare or VirtualPC, apply all the patches up to June/July 2003 and you will see that the POC still works. You can even combine codebase with any of the recent click hijacking vulnerabilities from Paul and you can see that beneath the new Information Bar in SP2 the same codebase functionality is present (by the way, that bar is not present in the Intranet or Trusted Sites zones). [1] http://www.greymagic.com/security/advisories/gm001-ie/ We have by no means been trying to hide the download location of Qwik-Fix Pro from anyone. We are in the middle of a data center move and have been readily handing out internal download locations and instructions, delivering guidance and support to anyone who has inquired. However, I cannot locate a download request from you in our support center. Qwik-Fix Pro is currently in Release Candidate 1 with a planned General Availability for August. We most certainly appreciate the tremendous beta feedback we have received over these last months, it has helped us tremendously. It is not apparent from your post whether you have been testing the long ago discontinued Qwik-Fix Beta v0.60 or the later Qwik-Fix Pro, but the description of your problems sounds as if no changes are even applied to your system. If you could give us more details about your system (OS, SP level) I would love to reproduce this. You are not mentioning any of the URL protocol handler lockdowns, MIME type mitigations or icon handler restrictions that RC1 contains so I am guestimating that you have been testing an older beta version. Feel very welcome to request an RC1 download from our site. I am also positive that your concerns about the updating logic will be answered fully once you look at the multiple layers of encryption and digital signatures based on 2048 bit RSA keys that combined mitigate against the impact of any imaginable MITM attack - these are all covered in the complete forensics analysis of Qwik-Fix Pro that will be released in the near future. We are trying to far exceed the industry expectations on the level of openness and are eagerly playing cards with our hands open. It is encouraging that you have enough faith in Windows XP Service Pack 2 to hint that it will solve all the security issues in Internet Explorer. I will have to disagree on that sentiment as vulnerabilities have been discovered that even work on a fully patched XPSP2RC2. Much as you, I am looking forward to the improvements of the final service pack. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com thor@xxxxxxxx Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix>
