Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] MS04-004??
From: Paul Tinsley (pdtjackhammer.org)
Date: Tue Feb 03 2004 - 09:19:19 CST
It would seem I was actually quite wrong, it doesn't just fix the url
spoofing problem which is actually %01 not %00, duh. Anyway... The
fixes in MS04-004 are very similar to MS03-048 (so similar they copy and
pasted most of the bulletin,) BUT they are new vulnerabilities with the
same end state: remote code execution. Further adding to the reasoning
for an out of cycle release. I personally think they should make this
more clear, looking at MS03-048 and MS04-004 side by side makes you
think they just kept the rollup verbage and added the URL fix.
See CVE for more info:
David Vincent wrote:
>>They finally have a fix for the url spoofing problem (%00)
>>and updated a
>>previous IE roll up to cover it. I have seen reference to this bug
>>being used in the wild already, which meets Microsoft's out of cycle
>it also seems to have fixed the damn annoying scrolling bug.
>Full-Disclosure - We believe in it.
Full-Disclosure - We believe in it.