[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: BAD NEWS: Microsoft Security Bulletin MS03-032

To: Drew Copley <dcopley@xxxxxxxx>
Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: Nathan Wallwork <owen@xxxxxxxxxxx>
Date: Tue, 9 Sep 2003 14:17:33 -0600 (MDT)

On Mon, 8 Sep 2003, Drew Copley wrote:
> The only sure way to detect this, I already wrote about [to Bugtraq]. That
> is by setting a firewall rule which blocks the dangerous mimetype string
> [Content-Type: application/hta]. Everything else in the exploit can change. 

Just so we are clear, the firewall wouldn't tbe he right place to catch 
this because that string could be split by packet fragmentation, so you'd 
need to look for it at an application level, after the data stream 
has been reassembled.  

Of course, if anyone thinks it is easier to protect their browser with a 
proxy than fix the browser they've got other issues.

Follow-Ups:
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032
  - From: Drew Copley

References:
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032
  - From: Drew Copley

Prev by Date: Re: BAD NEWS: Microsoft Security Bulletin MS03-032 another temporary solution
Next by Date: MSIE->WsFakeSrc
Previous by thread: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
Next by thread: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
Index(es):
- Date
- Thread