[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] The *real* reason the pivx unpatched IE flaws page was taken offline?
- To: List Account <list.account@cerdant.com>
- Subject: RE: [Full-Disclosure] The *real* reason the pivx unpatched IE flaws page was taken offline?
- From: Raymond Morsman <raymond@dyn.org>
- Date: Thu, 11 Dec 2003 14:54:03 +0000
Citeren List Account <list.account@cerdant.com>:
> Does anyone have an archived copy of the page(s) they would be
> willing to share with the list?
lynx -dump:
PivX Logo
[4]Home | [5]StrikeFirst | [6]Solutions | [7]Press & Papers |
[8]Clients | [9]Research | [10]Contact
Unpatched IE security holes
Please note: this site will work in any browser and on any device,
however will look much nicer on CSS-compatible browsers. If you are
using a browser that supports CSS, please wait while the CSS file
loads and this message will disappear.
If you wish to enjoy the web to the fullest, please [11]upgrade to a
standards-compatible browser.
Why this page ?
This page is a list of vulnerabilities that remain unpatched, it is
our hope that the increased awareness brought forth may help further
the research necessary to properly secure them.
Vulnerabilities listed on this page work (among others) with the
latest versions of Internet Explorer, with all patches installed.
Until proper patches have been provided, the only fix to some of these
vulnerabilities is to disable scripting.
This page is, and always will be, a work in progress. This is not a
definitive list of vulnerabilities.
[12]Back
Miscellaneous news
11 September 2003: There are currently 31 unpatched vulnerabilities.
The latest cumulative Internet Explorer patch
is released August 20, 2003 with the identifier [13]MS03-032.
Cumulative patches combine all previous IE patches, and should be
considered mandatory installs.
11 September 2003: Added Media bar ressource injection by jelmer
10 September 2003: Added file-protocol proxy by Liu Die Yu
10 September 2003: Added NavigateAndFind protocol history by Liu Die
Yu
10 September 2003: Added window.open search injection by Liu Die Yu
10 September 2003: Added NavigateAndFind file proxy by Liu Die Yu
10 September 2003: Added Timed history injection by Liu Die Yu
10 September 2003: Added history.back method caching by Liu Die Yu
10 September 2003: Added Click hijacking by Liu Die Yu
9 September 2003: Re-added Re-evaluating HTML elavation
26 August 2003: Added ADODB.Stream local file writing by jelmer
20 August 2003: Changed latest cumulative IE patch link, [14]MS03-032
released
5 August 2003: Added Notepad popups by Richard M. Smith
4 August 2003: Added protocol control chars by badWebMasters
[15]Older news...
Unpatched vulnerabilities
Media bar ressource injection
Description: Arbitrary file download and execution, by ability to load
ressource files in a window object
Reference:
[16]http://lists.netsys.com/pipermail/full-disclosure/2003-September/0
09917.html
Exploit: [17]http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
file-protocol proxy
Description: cross-domain scripting, cookie/data/identity theft,
command execution
Reference:
[18]http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content
.HTM
Exploit:
[19]http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-MyPage.
HTM
NavigateAndFind protocol history
Description: cross-domain scripting, cookie/data/identity theft,
command execution
Reference:
[20]http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Con
tent.HTM
Exploit:
[21]http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-MyP
age.HTM
window.open search injection
Description: cross-domain scripting, cookie/data/identity theft,
command execution
Reference:
[22]http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM
Exploit:
[23]http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.htm
NavigateAndFind file proxy
Description: cross-domain scripting, cookie/data/identity theft,
command execution
Reference:
[24]http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-Content.HTM
Exploit:
[25]http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-MyPage.htm
Timed history injection
Description: cross-domain scripting, cookie/data/identity theft,
command execution
Reference:
[26]http://safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content
.HTM
Exploit:
[27]http://www.safecenter.net/liudieyu/BackMyParent2/BackMyParent2-MyP
age.HTM
history.back method caching
Description: cross-domain scripting, cookie/data/identity theft,
command execution
Reference:
[28]http://safecenter.net/liudieyu/RefBack/RefBack-Content.HTM
Exploit:
[29]http://www.safecenter.net/liudieyu/RefBack/RefBack-MyPage.HTM
Click hijacking
Description: Pointing IE mouse events at non-IE/system windows
Reference:
[30]http://safecenter.net/liudieyu/HijackClick/HijackClick-Content.HTM
Exploit:
[31]http://safecenter.net/liudieyu/HijackClick/HijackClick2-MyPage.HTM
Re-evaluating HTML elavation dataSrc command execution
Description: Allows execution of arbitrary commands in Local Zones
Detail: This bug is related to the codebase local path bug, but
details the actual issue and runs without scripting or ActiveX enabled
Published: February 28th 2002
Reference: [32]http://security.greymagic.com/adv/gm001-ie/
Example exploit:
[33]http://security.greymagic.com/adv/gm001-ie/advbind.asp
Note: See [34]6th May 2003 Notes.
Notes September 2003:
Renamed and re-added, symptom fixed instead of problem. Now
demonstrates how to reach HTA functionality.
Reference:
[35]http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html
Example exploit: [36]http://www.malware.com/badnews.html
Example exploit without scripting:
[37]http://www.malware.com/greymagic.html
Temporary workaround: Change the mime-type application/hta to
something else
ADODB.Stream local file writing
Description: Planting arbitrary files on the local file system
Exploit: [38]http://ip3e83566f.speed.planet.nl/eeye.html (but
unrelated to the EEye exploit)
Notepad popups
Description: Opening popup windows without scripting
Reference: [39]http://computerbytesman.com/security/notepadpopups.htm
Followup:
[40]http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html
Note: This is just an example of the problem, this entry will be
replaced when more material is published
protocol control chars
Description: Circumventing content filters
Reference: [41]http://badwebmasters.net/advisory/012/
Exploit: [42]http://badwebmasters.net/advisory/012/test2.asp
WMP local file bounce
Description: Switching security zone, arbitrary command execution,
automatic email-borne command execution
Reference:
[43]http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntb
ugtraq&F=P&S=&P=6783
Exploit: [44]http://www.malware.com/once.again!.html
HTTP error handler Local Zone XSS
Description: HTML/Script injection in the Local Zone
Reference: [45]http://sec.greymagic.com/adv/gm014-ie/
Exploit: [46]http://sec.greymagic.com/adv/gm014-ie/
XSS in Unparsable XML Files
Description: Cross-Site Scripting on any site hosting files that can
be misrendered in MSXML
Reference: [47]http://sec.greymagic.com/adv/gm013-ie/
Exploit: [48]http://sec.greymagic.com/adv/gm013-ie/
Alexa Related Privacy Disclosure
Description: Unintended disclosure of private information when using
the Related feature
Reference: [49]http://www.secunia.com/advisories/8955/
Reference: [50]http://www.imilly.com/alexa.htm
Basic Authentication URL spoofing
Description: Spoofing the URL displayed in the Address bar
Reference:
[51]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/15.html
DNSError folder disclosure
Description: Gaining access to local security zones
Reference:
[52]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html
mhtml wecerr CAB flip
Description: Delivery and installation of an executable
Reference:
[53]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/48.html
WebFolder data Injection
Description: Injecting arbitrary data in the My Computer zone
Reference:
[54]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/13.html
codebase local path
Description: Allows execution of arbitrary commands in Local Zones
Hinted: June 25th 2000 by Dildog
Reference: [55]http://online.securityfocus.com/archive/1/66869
Hinted: November 23rd 2000 by Georgi Guninski
Reference: [56]http://www.guninski.com/parsedat-desc.html
Published: January 10th 2002, by thePull (incorrectly labeled the
"Popup object" vulnerability)
Reference:
[57]http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html
Example exploit:
[58]http://home.austin.rr.com/wiredgoddess/thepull/funRun.html
Note: See [59]6th May 2003 Notes.
Web Archive buffer overflow
Description: Possible automated code execution.
Reference:
[60]http://msgs.securepoint.com/cgi-bin/get/bugtraq0303/107.html
dragDrop invocation
Description: Arbitrary local file reading through native Windows
dragDrop invocation.
Reference:
[61]http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html
Exploit: [62]http://kuperus.xs4all.nl/security/ie/xfiles.htm
document.domain parent DNS resolver
Description: Improper duality check leading to firewall breach
Published: July 29 2002
Reference:
[63]http://online.securityfocus.com/archive/1/284908/2002-07-27/2002-0
8-02/0
FTP Folder View XSS
Description: Elevating privileges, running script in the My Computer
zone, arbitrary command execution, etc.
Published: June 7th 2002 (Microsoft was notified December 21st 2001.)
Reference:
[64]http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html
Exploit: [65]http://jscript.dk/Jumper/xploit/ftpfolderview.html
DynSrc Local File detection
Description: Detect if a local file exists, and read its size/date
Published: March 27th 2002
Reference: [66]http://security.greymagic.com/adv/gm003-ie/
Status: Patched in IE6 by [67]IE6 Service Pack 1, but IE5 and 5.5 are
still vulnerable.
Security zone transfer
Description: Automatically opening IE + Executing attachments
Published: March 22nd 2002
Reference: [68]http://security.greymagic.com/adv/gm002-ie/
Extended HTML Form Attack
Description: Cross Site Scripting through non-HTTP ports, stealing
cookies, etc.
Published: February 6th 2002
Reference:
[69]http://eyeonsecurity.org/advisories/multple-web-browsers-vulnerabl
e-to-extended-form-attack.htm
"script src" local file enumeration
Description: Enables a malicious programmer to detect if a local file
exists.
Published: January 3rd 2002
Reference: [70]http://www.securityfocus.com/bid/3779
Example exploit: [71]http://jscript.dk/Jumper/xploit/scriptsrc.html
IE https certificate attack
Description: Undetected SSL man-in-the-middle attacks, decrypting
SSL-encrypted traffic in realtime
Published: December 22 2001 ( Stefan Esser )
Published: June 6 2000 ( ACROS )
Reference: [72]http://security.e-matters.de/advisories/012001.html
Example exploit: [73]http://suspekt.org/
Status: Initially fixed in IE4 and early IE5s by MS00-039,
re-introduced by a later patch.
Patched vulnerabilities
These used to be listed on this page, but have now been patched.
Hopefully, this means that this page is working as expected.
Content-Disposition/Type
Description: Allows spoofing of filename in download dialog
Published: November 26th 2001
Reference:
[74]http://www.securityfocus.com/cgi-bin/archive.pl?id=1&threads=1&tid
=242376
Patched: December 13th 2001 (
[75]http://www.microsoft.com/technet/security/bulletin/MS01-058.asp )
Re-Published: December 16th (by HTTP-EQUIV, patch didn't work)
Reference: [76]http://online.securityfocus.com/archive/88/245822
Example exploit: [77]http://jscript.dk/Jumper/xploit/contentspoof.asp
[78]Finally patched by MS02-005 (nice touch about blurring Open)
XMLHTTP
Description: Allows reading of local files
Published: December 15th 2001
Reference: [79]http://www.securityfocus.com/bid/3699
Example exploit: [80]http://jscript.dk/Jumper/xploit/xmlhttp.asp
[81]Finally completely patched by MS02-008
document.open
Description: Allows cross-domain scripting (reading cookies from other
site, etc.)
Published: December 19th 2001
Reference: [82]http://www.securityfocus.com/bid/3721
Example exploits: [83]http://tom.me.uk/MSN/ &
[84]http://home.austin.rr.com/wiredgoddess/thepull/advisory3.html
[85]Patched by MS02-005
GetObject
Description: Allows reading of local files (any type, even binary)
Published: January 1st 2002
Reference: [86]http://www.securityfocus.com/bid/3767
Example exploit: [87]http://jscript.dk/Jumper/xploit/GetObject.html
[88]Patched by MS02-005
Cookie-based Script Execution
Description: Injecting script in the Local Zone.
Published: April 3rd 2002
Reference: [89]http://online.securityfocus.com/archive/1/265459
Status: Partly patched by [90]MS02-015, easily circumvented.
[91]Patched by MS02-023
File download execution
Description: Download and execute any program automatically
Published: March 18th 2002
Reference:
[92]http://www.lac.co.jp/security/english/snsadv_e/48_e.html
History: Added March 23rd, removed March 26th, re-added March 27th
Details: [93]http://www.newsbytes.com/news/02/175484.html
[94]Patched by MS02-023
OWC Local File Detection
Description: Multiple local files detection issues
Published: April 8th 2002
Reference: [95]http://security.greymagic.com/adv/gm008-ie/
Exploit: [96]http://security.greymagic.com/adv/gm008-ie/
[97]Pached by MS02-044
OWC Clipboard Access
Description: Complete clipboard access even with Clipboard Disabled
Published: April 8th 2002
Reference: [98]http://security.greymagic.com/adv/gm007-ie/
Exploit: [99]http://security.greymagic.com/adv/gm007-ie/
[100]Pached by MS02-044
OWC Local File Reading
Description: Reading local and remote files with OWC in IE
Published: April 8th 2002
Reference: [101]http://security.greymagic.com/adv/gm006-ie/
Exploit: [102]http://security.greymagic.com/adv/gm006-ie/
[103]Pached by MS02-044
OWC Scripting
Description: Running script even with Scripting Disabled
Published: April 8th 2002
Reference: [104]http://security.greymagic.com/adv/gm005-ie/
Exploit: [105]http://security.greymagic.com/adv/gm005-ie/advowcscr.asp
[106]Pached by MS02-044
Remote dialogArguments interaction
Description: Elevating privileges, hijacking MSN Messenger, running
script in the My Computer zone, arbitrary command execution, etc.
Published: April 16th 2002
Reference: [107]http://jscript.dk/adv/TL002/
Exploit: [108]http://jscript.dk/adv/TL002/
Appendix: Extending the vulnerable version from just IE6 to IE5 and
higher.
Reference and exploit:
[109]http://security.greymagic.com/adv/gm001-ax/
Status: Partly patched by [110]MS02-023, IE6 appears fixed while IE5.5
and 5 are still wide open.
Patched by MS02-047
Gopher buffer overflow
Description: Delivery and execution of arbitrary code
Published: June 4th 2002
Reference:
[111]http://www.solutions.fi/index.cgi/news_2002_06_04?lang=en
Workaround:
[112]http://www.microsoft.com/technet/security/bulletin/MS02-027.asp
Third-party fix: [113]http://www.pivx.com/gopher_smoker.html
Patched by MS02-047
object Cross Domain Scripting
Description: Elevating privileges, arbitrary command execution, local
file reading, stealing arbitrary cookies, etc.
Published: July 10 2002
Reference: [114]http://www.pivx.com/larholm/adv/TL003/
Exploit: [115]http://www.pivx.com/larholm/adv/TL003/
Patched by MS02-047
IE dot bug
Description: Overriding filetype handlers on local files
Published: May 19th 2002
Reference:
[116]http://online.securityfocus.com/archive/1/273168/2002-05-18/2002-
05-24/0
Patched by MS02-047
XP Help deleter
Description: Arbitrary local file/folder deletion.
Published: August 15 2002
Reference:
[117]http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00224.htm
l
Exploit: [118]http://jscript.dk/2002/8/sec/xphelpdelete.html
[119]Patched by Windows XP SP1
delegated SSL authority
Description: HTTPS spoofing, man-in-the-middle attacks, etc.
Published: August 6 2002
Reference: [120]http://www.thoughtcrime.org/ie-ssl-chain.txt
Reference: [121]http://arch.ipsec.pl/inteligo.html
Exploit: [122]http://www.thoughtcrime.org/ie.html
[123]Appears patched by MS02-050
Who framed Internet Explorer
Description: Cross-protocol scripting, arbitrary command execution,
local file reading, cookie theft, website forging, sniffing https,
etc.
Published: September 9 2002
Reference: [124]http://sec.greymagic.com/adv/gm010-ie/
Exploit: [125]http://sec.greymagic.com/adv/gm010-ie/wfsimple.html
Patched by MS02-066
iframe Document - The D-day
Description: Circumventing zone sandboxing, XSS, cookie theft, local
file reading / execution
Published: October 15 2002
Reference: [126]http://security.greymagic.com/adv/gm011-ie/
Exploits: [127]http://security.greymagic.com/adv/gm011-ie/
Patched by MS02-066
object zone redirection
Description: Circumventing the zone restrictions introduced by IE6 SP1
Published: September 10 2002
Reference: [128]http://www.pivx.com/larholm/adv/TL005/
Reference: [129]http://online.securityfocus.com/bid/5730/discussion/
Patched by MS02-066
showModalDialog method caching
Description: Circumventing security zones, XSS, cookie theft, local
file reading / execution, etc.
Published: October 22 2002
Reference: [130]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [131]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Patched by MS02-066
createRange method caching
Description: Circumventing security zones, XSS, cookie theft, local
file reading / execution, etc.
Published: October 22 2002
Reference: [132]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [133]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Patched by MS02-066
elementFromPoint method caching
Description: Circumventing security zones, XSS, cookie theft, local
file reading / execution, etc.
Published: October 22 2002
Reference: [134]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [135]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Patched by MS02-066
getElementById method caching
Description: Circumventing security zones, XSS, cookie theft, local
file reading / execution, etc.
Published: October 22 2002
Reference: [136]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [137]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Patched by MS02-066
getElementsByName method caching
Description: Circumventing security zones, XSS, cookie theft, local
file reading / execution, etc.
Published: October 22 2002
Reference: [138]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [139]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Patched by MS02-066
getElementsByTagName method caching
Description: Circumventing security zones, XSS, cookie theft, local
file reading / execution, etc.
Published: October 22 2002
Reference: [140]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [141]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Patched by MS02-066
execCommand method caching
Description: Read access to the foreign document.
Published: October 22 2002
Reference: [142]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [143]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Patched by MS02-066
document.write method caching
Description: Spoofing of content
Published: October 21 2002
Reference:
[144]http://online.securityfocus.com/archive/1/296371/2002-10-19/2002-
10-25/0
Exploit: [145]http://clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage
section.
Patched by MS02-066
"assign" method caching
Description: Circumventing zone sandboxing, cross-protocol scripting,
cookie theft, and possible local file reading / execution
Published: October 1 2002
Reference:
[146]http://online.securityfocus.com/archive/1/293692/2002-09-29/2002-
10-05/0
Exploit:
[147]http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm
Exploit: [148]http://jscript.dk/2002/10/sec/SaveRefLocalFile.html
(local file reading and execution)
Patched by MS02-066
Slash URL encoding XSS
Description: Arbitrary Cross Domain Scripting, cookie theft, etc.
Published: September 3 2002
Reference:
[149]http://online.securityfocus.com/archive/1/290220/2002-09-01/2002-
09-07/0
Exploit:
[150]http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.ht
m
Patched by MS02-066
HTML Help ActiveX
Description: stack and heap based buffer overflows, DOS
Published: May 27th 2002
Reference: [151]http://www.nextgenss.com/vna/ms-whelp.txt
Reference: [152]http://online.securityfocus.com/bid/4857
Believed to be Patched by MS02-066
external object caching
Description: Circumventing security zones, XSS, cookie theft, local
file reading / execution, etc.
Published: October 22 2002
Reference: [153]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [154]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
[155]Patched by MS02-068
MS JVM native method vulnerabilities
Description: A collection of at least 10 different vulnerabilities in
the MS JVM, escaping the sandbox, local file reading, silent delivery
and execution of arbitrary programs, etc.
Published: September 9 2002
Reference:
[156]http://www.solutions.fi/index.cgi/news_2002_09_09?lang=eng
[157]Patched by MS03-011
Self-executing HTML Help
Description: Delivery and execution of arbitrary programs
Published: June 1st 2002
Reference: [158]http://www.malware.com/yelp.html
Reference: [159]http://online.securityfocus.com/archive/1/275126
Exploit: [160]http://www.malware.com/html.zip
[161]Patched by MS03-015
cross-frame dialogArguments access
Description: Circumventing security zones, local file reading /
execution, etc.
Published: November 20 2002
Reference:
[162]http://online.securityfocus.com/archive/1/300525/2002-11-17/2002-
11-23/0
Exploit:
[163]http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.ht
m
Extended Exploit: [164]http://security.greymagic.com/misc/globalDgArg/
[165]Patched by MS03-015
clipboardData object caching
Description: Read/write access to the clipboard, regardless of
settings.
Published: October 22 2002
Reference: [166]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
Exploit: [167]http://sec.greymagic.com/adv/gm012-ie (cumulative
advisory)
[168]Patched by MS03-015
Java XMLDSO base tag
Description: Arbitrary local file reading.
Published: August 17 2002
Reference:
[169]http://online.securityfocus.com/archive/1/287895/2002-08-15/2002-
08-21/0
Exploit: [170]http://www.xs4all.nl/~jkuperus/msieread.htm
Patched by [171]MS03-011 and [172]MS03-015
CTRL-key file upload focus
Description: Local file reading, downloading and executing arbitrary
code.
Published: July 23 2002
Reference:
[173]http://online.securityfocus.com/archive/1/283866/2002-07-21/2002-
07-27/0
Exploit: [174]http://jscript.dk/2002/7/sec/sandbladctrl.html
(corrected to include SHIFT)
[175]Patched by MS03-015
Back Button CSS
Description: Read cookies/local files and execute code (triggered when
user hits the back button)
Published: April 15th 2002
Reference: [176]http://online.securityfocus.com/archive/1/267561
[177]Patched by MS03-015
HELP.dropper (IE6, OE6, Outlook)
Description: Silent delivery and installation of an executable on a
target computer
Published: March 28th 2002
Reference and example exploit:
[178]http://www.malware.com/lookout.html
Reference: [179]http://online.securityfocus.com/archive/1/264590
[180]Patched by MS03-015
JVM Bytecode Verifier
Description: Escaping applet sandbox restrictions, taking any action.
Published: November 21 2002
Reference:
[181]http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html
Reference / POC: [182]http://lsd-pl.net/java_security.html
[183]Patched by MS03-011
Embedded files XSS
Description: XSS to arbitrary sites, cookie theft
Reference:
[184]http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/218.html
Exploit:
[185]http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.ht
m
[186]Patched by MS03-015
dialog style XSS
Description: security zone XSS, cookie theft, monitoring the user.
Published: December 3 2002
Reference:
[187]http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/29.html
Exploit: [188]http://jscript.dk/2002/11/sec/diemodalstyleXSS.html
[189]Patched by MS03-015
WMP Stench
Description: Silent delivery and installation of an executable on a
target computer
Published: August 21 2002
Reference: [190]http://www.malware.com/stench.html
Exploit: [191]http://www.malware.com/malware.php
[192]Patched by MS03-015
cssText Local File Reading
Description: Reading portions of local files, depending on structure.
Published: April 2nd 2002
Reference: [193]http://security.greymagic.com/adv/gm004-ie/
Exploit: [194]http://security.greymagic.com/adv/gm004-ie/
[195]Patched by MS03-015
object longtype
Description: Code execution
Reference:
[196]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/49.html
Exploit:
[197]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/78.html
[198]Patched by MS03-020
remote file request flooding
Description: Arbitrary remote file execution
Reference:
[199]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/130.html
Reference:
[200]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/147.html
Exploit: [201]http://www.malware.com/forceframe.html
[202]Patched by MS03-020
local file request flooding
Description: Arbitrary local file execution
Reference:
[203]http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/85.html
[204]Patched by MS03-020
align buffer overflow
Description: Buffer overflow, arbitrary code execution
Reference:
[205]http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/170.html
[206]Patched by MS-3_023
Related patches
MS02-008
Patches: XMLHTTP
Published: February 22nd 2002 (21st February in USA)
Location:
[207]http://www.microsoft.com/technet/security/bulletin/MS02-008.asp
MS02-044
Patches: OWC Local File Detection, OWC Clipboard Access, OWC Local
File Reading & OWC Scripting
Published: August 20th 2002
Location:
[208]http://microsoft.com/technet/security/bulletin/MS02-044.asp
IE6 Service Pack 1
Patches: cssText and DynSrc
Published: September 9th 2002
Location:
[209]http://microsoft.com/windows/ie/downloads/critical/ie6sp1/
Windows XP Service Pack 1
Patches: Everything IE6 SP1 patches, and XP Help deleter
Published: September 9th 2002
Location:
[210]http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1
/
MS02-050
Patches: delegated SSL authority
Published: September 4th 2002, last updated October 17th 2002
Location:
[211]http://microsoft.com/technet/security/bulletin/MS02-050.asp
MS03-011
Patches: ByteCode Verifier and all previous JVM related
vulnerabilities, this is MS JVM build 3810.
Published: April 9th 2003
Location:
[212]http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
MS03-020
Notice: This is the latest IE cumulative patch. This combines all
previous IE patches.
Patches: object longtype overflow
Published: June 4th 2003
Location:
[213]http://www.microsoft.com/technet/security/bulletin/MS03-020.asp
MS03-032
Notice: This is the latest IE cumulative patch. This combines all
previous IE patches.
Patches: OBJECT HTA execution, and other not publicly known
vulnerabilities
Published: August 20th 2003
Location:
[214]http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
MS03-023
Patches: align buffer overflow
Published: July 10 2003
Location:
[215]http://www.microsoft.com/technet/security/bulletin/MS03-023.asp
Who
Please mail any questions or comments to Thor Larholm -
[216]thor@pivx.com
thor (at) pivx (dot) com
Copyright 2002 Pivx Solutions, LLC. All rights reserved.
References
1. http://www.google.com/help/features.html#cached
2. http://www.pivx.com/larholm/unpatched/
3. http://www.pivx.com/larholm/unpatched/
4. http://www.pivx.com/main.html
5. http://www.pivx.com/sf.html
6. http://www.pivx.com/solutions.html
7. http://www.pivx.com/writings.html
8. http://www.pivx.com/clients.html
9. http://www.pivx.com/research/
10. http://www.pivx.com/contact.html
11. http://www.webstandards.org/upgrade/
12. http://www.pivx.com/larholm/
13.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_032
14.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_032
15. http://www.pivx.com/larholm/unpatched/archivednews.html
16.
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html
17. http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
18. http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM
19. http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-MyPage.HTM
20. http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM
21. http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-MyPage.HTM
22. http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM
23. http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.htm
24. http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-Content.HTM
25. http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-MyPage.htm
26. http://safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content.HTM
27. http://www.safecenter.net/liudieyu/BackMyParent2/BackMyParent2-MyPage.HTM
28. http://safecenter.net/liudieyu/RefBack/RefBack-Content.HTM
29. http://www.safecenter.net/liudieyu/RefBack/RefBack-MyPage.HTM
30. http://safecenter.net/liudieyu/HijackClick/HijackClick-Content.HTM
31. http://safecenter.net/liudieyu/HijackClick/HijackClick2-MyPage.HTM
32. http://security.greymagic.com/adv/gm001-ie/
33. http://security.greymagic.com/adv/gm001-ie/advbind.asp
34. http://www.pivx.com/larholm/unpatched/6may03notes.html
35. http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html
36. http://www.malware.com/badnews.html
37. http://www.malware.com/greymagic.html
38. http://ip3e83566f.speed.planet.nl/eeye.html
39. http://computerbytesman.com/security/notepadpopups.htm
40. http://msgs.securepoint.com/cgi-bin/get/bugtraq0308/55.html
41. http://badwebmasters.net/advisory/012/
42. http://badwebmasters.net/advisory/012/test2.asp
43.
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=6783
44. http://www.malware.com/once.again%21.html
45. http://sec.greymagic.com/adv/gm014-ie/
46. http://sec.greymagic.com/adv/gm014-ie/
47. http://sec.greymagic.com/adv/gm013-ie/
48. http://sec.greymagic.com/adv/gm013-ie/
49. http://www.secunia.com/advisories/8955/
50. http://www.imilly.com/alexa.htm
51. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/15.html
52. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/52.html
53. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/48.html
54. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/13.html
55. http://online.securityfocus.com/archive/1/66869
56. http://www.guninski.com/parsedat-desc.html
57. http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html
58. http://home.austin.rr.com/wiredgoddess/thepull/funRun.html
59. http://www.pivx.com/larholm/unpatched/6may03notes.html
60. http://msgs.securepoint.com/cgi-bin/get/bugtraq0303/107.html
61. http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html
62. http://kuperus.xs4all.nl/security/ie/xfiles.htm
63. http://online.securityfocus.com/archive/1/284908/2002-07-27/2002-08-02/0
64. http://www.geocities.co.jp/SiliconValley/1667/advisory02e.html
65. http://jscript.dk/Jumper/xploit/ftpfolderview.html
66. http://security.greymagic.com/adv/gm003-ie/
67. http://www.pivx.com/larholm/unpatched/patch_IE6SP1
68. http://security.greymagic.com/adv/gm002-ie/
69.
http://eyeonsecurity.org/advisories/multple-web-browsers-vulnerable-to-extended-form-attack.htm
70. http://www.securityfocus.com/bid/3779
71. http://jscript.dk/Jumper/xploit/scriptsrc.html
72. http://security.e-matters.de/advisories/012001.html
73. http://suspekt.org/
74. http://www.securityfocus.com/cgi-bin/archive.pl?id=1&threads=1&tid=242376
75. http://www.microsoft.com/technet/security/bulletin/MS01-058.asp
76. http://online.securityfocus.com/archive/88/245822
77. http://jscript.dk/Jumper/xploit/contentspoof.asp
78.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS05
79. http://www.securityfocus.com/bid/3699
80. http://jscript.dk/Jumper/xploit/xmlhttp.asp
81.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS08
82. http://www.securityfocus.com/bid/3721
83. http://tom.me.uk/MSN/
84. http://home.austin.rr.com/wiredgoddess/thepull/advisory3.html
85.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS05
86. http://www.securityfocus.com/bid/3767
87. http://jscript.dk/Jumper/xploit/GetObject.html
88.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS05
89. http://online.securityfocus.com/archive/1/265459
90. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS15
91.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS23
92. http://www.lac.co.jp/security/english/snsadv_e/48_e.html
93. http://www.newsbytes.com/news/02/175484.html
94.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS23
95. http://security.greymagic.com/adv/gm008-ie/
96. http://security.greymagic.com/adv/gm008-ie/
97.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044
98. http://security.greymagic.com/adv/gm007-ie/
99. http://security.greymagic.com/adv/gm007-ie/
100.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044
101. http://security.greymagic.com/adv/gm006-ie/
102. http://security.greymagic.com/adv/gm006-ie/
103.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044
104. http://security.greymagic.com/adv/gm005-ie/
105. http://security.greymagic.com/adv/gm005-ie/advowcscr.asp
106.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_044
107. http://jscript.dk/adv/TL002/
108. http://jscript.dk/adv/TL002/
109. http://security.greymagic.com/adv/gm001-ax/
110.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS23
111. http://www.solutions.fi/index.cgi/news_2002_06_04?lang=en
112. http://www.microsoft.com/technet/security/bulletin/MS02-027.asp
113. http://www.pivx.com/gopher_smoker.html
114. http://www.pivx.com/larholm/adv/TL003/
115. http://www.pivx.com/larholm/adv/TL003/
116. http://online.securityfocus.com/archive/1/273168/2002-05-18/2002-05-24/0
117. http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00224.html
118. http://jscript.dk/2002/8/sec/xphelpdelete.html
119.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_XSP1
120. http://www.thoughtcrime.org/ie-ssl-chain.txt
121. http://arch.ipsec.pl/inteligo.html
122. http://www.thoughtcrime.org/ie.html
123.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS02_050
124. http://sec.greymagic.com/adv/gm010-ie/
125. http://sec.greymagic.com/adv/gm010-ie/wfsimple.html
126. http://security.greymagic.com/adv/gm011-ie/
127. http://security.greymagic.com/adv/gm011-ie/
128. http://www.pivx.com/larholm/adv/TL005/
129. http://online.securityfocus.com/bid/5730/discussion/
130. http://sec.greymagic.com/adv/gm012-ie
131. http://sec.greymagic.com/adv/gm012-ie
132. http://sec.greymagic.com/adv/gm012-ie
133. http://sec.greymagic.com/adv/gm012-ie
134. http://sec.greymagic.com/adv/gm012-ie
135. http://sec.greymagic.com/adv/gm012-ie
136. http://sec.greymagic.com/adv/gm012-ie
137. http://sec.greymagic.com/adv/gm012-ie
138. http://sec.greymagic.com/adv/gm012-ie
139. http://sec.greymagic.com/adv/gm012-ie
140. http://sec.greymagic.com/adv/gm012-ie
141. http://sec.greymagic.com/adv/gm012-ie
142. http://sec.greymagic.com/adv/gm012-ie
143. http://sec.greymagic.com/adv/gm012-ie
144. http://online.securityfocus.com/archive/1/296371/2002-10-19/2002-10-25/0
145. http://clik.to/liudieyu
146. http://online.securityfocus.com/archive/1/293692/2002-09-29/2002-10-05/0
147. http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm
148. http://jscript.dk/2002/10/sec/SaveRefLocalFile.html
149. http://online.securityfocus.com/archive/1/290220/2002-09-01/2002-09-07/0
150. http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm
151. http://www.nextgenss.com/vna/ms-whelp.txt
152. http://online.securityfocus.com/bid/4857
153. http://sec.greymagic.com/adv/gm012-ie
154. http://sec.greymagic.com/adv/gm012-ie
155. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS02_068
156. http://www.solutions.fi/index.cgi/news_2002_09_09?lang=eng
157.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_011
158. http://www.malware.com/yelp.html
159. http://online.securityfocus.com/archive/1/275126
160. http://www.malware.com/html.zip
161. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015
162. http://online.securityfocus.com/archive/1/300525/2002-11-17/2002-11-23/0
163. http://www16.brinkster.com/liudieyu/BadParent/BadParent-MyPage.htm
164. http://security.greymagic.com/misc/globalDgArg/
165. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015
166. http://sec.greymagic.com/adv/gm012-ie
167. http://sec.greymagic.com/adv/gm012-ie
168. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015
169. http://online.securityfocus.com/archive/1/287895/2002-08-15/2002-08-21/0
170. http://www.xs4all.nl/%7Ejkuperus/msieread.htm
171.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_011
172.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015
173. http://online.securityfocus.com/archive/1/283866/2002-07-21/2002-07-27/0
174. http://jscript.dk/2002/7/sec/sandbladctrl.html
175. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015
176. http://online.securityfocus.com/archive/1/267561
177. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015
178. http://www.malware.com/lookout.html
179. http://online.securityfocus.com/archive/1/264590
180. http://www.pivx.com/larholm/unpatched/archivednews.html#patch_MS03_015
181. http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html
182. http://lsd-pl.net/java_security.html
183.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_011
184. http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/218.html
185. http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
186.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015
187. http://msgs.securepoint.com/cgi-bin/get/bugtraq0212/29.html
188. http://jscript.dk/2002/11/sec/diemodalstyleXSS.html
189.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015
190. http://www.malware.com/stench.html
191. http://www.malware.com/malware.php
192.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015
193. http://security.greymagic.com/adv/gm004-ie/
194. http://security.greymagic.com/adv/gm004-ie/
195.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_015
196. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/49.html
197. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/78.html
198.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_020
199. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/130.html
200. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/147.html
201. http://www.malware.com/forceframe.html
202.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_020
203. http://msgs.securepoint.com/cgi-bin/get/bugtraq0305/85.html
204.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_020
205. http://msgs.securepoint.com/cgi-bin/get/bugtraq0306/170.html
206.
file://localhost/home/raymond/Raymond/old/home/raymond/pivxhack.html#patch_MS03_023
207. http://www.microsoft.com/technet/security/bulletin/MS02-008.asp
208. http://microsoft.com/technet/security/bulletin/MS02-044.asp
209. http://microsoft.com/windows/ie/downloads/critical/ie6sp1/
210. http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/
211. http://microsoft.com/technet/security/bulletin/MS02-050.asp
212. http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
213. http://www.microsoft.com/technet/security/bulletin/MS03-020.asp
214. http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
215. http://www.microsoft.com/technet/security/bulletin/MS03-023.asp
216. mailto:thor@pivx.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html