OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Thor Larholm (thor_at_PIVX.COM)
Date: Wed Oct 23 2002 - 08:49:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    After GreyMagic released their email advisory they updated the advisory on
    their website. Appareantly, further testing revealed that IE6 SP1 did not
    fix these holes in a generic way, and instead choose to apply security
    checks on individual methods and properties.

    These 2 properties seems to have been overlooked, and I suspect that many
    more will follow in the category of caching vulnerabilities.

    I can personally confirm through my own testing that the "external" and
    "clipboardData" caching vulnerabilities are still unpatched even on IE6 SP1,
    enabling cookie theft, local file reading and arbitrary command execution
    even in IE6 SP1. Peer research (such as jelmers post on the bugtraq list)
    reveals the same.

    As such, I would take the words of the updatable website advisory over the
    unchangable email advisory any day. IE 5.5 SP2 and IE6 SP1 are both
    vulnerable, the latter just to a lesser extent.

    Regards
    Thor Larholm, Security Researcher
    PivX Solutions, LLC

    Are You Secure?
    http://www.PivX.com

    -----Original Message-----
    From: Holger Hasenstrauch [mailto:holgerRDT.CO.UK]
    Sent: 23. oktober 2002 13:55
    To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
    Subject: Re: Vulnerable cached objects in IE (9 advisories in 1)

    This advisory on NTBugtraq says that IE6 SP1 is not vulnerable, but the
    advisory on the website (http://sec.greymagic.com/adv/gm012-ie/) says:

    "IE6 SP1 is vulnerable to the "external" and "clipboardData" vulnerabilities
    and immune to the rest."

    Can anyone clarify? 

    --
Holger Hasenstrauch

    > -----Original Message-----
> From: GreyMagic Software [mailto:securityGREYMAGIC.COM]
> Sent: 22 October 2002 16:24
> Subject: Vulnerable cached objects in IE (9 advisories in 1)
>

    This message, and any attachments to it, is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material.  Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please notify administratorrdt.co.uk and delete the material
from any computer.