From: "Geo." 

There are 2 exploits being used as mentioned in the original description
that I posted here, you seem to only want to address the second while I'm
obviously addressing the first. Regardless, the script in the html file
with the asf extension is being executed by media player not IE. It is this
that makes it possible to exploit the second exploit that uses IE with
another security issue (that exploit being loaded from a web page). The
fact that the IE security issue can be patched doesn't stop the scripting
in Media player from working.

I can cure the media player exploit by turning off active scripting system
wide, no IE patch, just change scripting default so scripting is disabled
system wide (media player, OE, IE, etc) and this exploit no longer
functions. So if media player isn't supporting scripting, then why would
turning scripting off and not patching IE prevent this exploit from
working?

Geo.

"Rich"  wrote in message news:3e2a4a0b{at}w3.nls.net...
   The vulnerability has absolutely nothing to do with the ASF file.  Since
you can't be bothered to read the security bulletin to which I referred you
I'll make it simple even for you.  The issue is with the HTML file which
contains script that navigates from a web hosted page to a local file. 
That is with the HTML page should make sense considering what I've told you
several times already.  That the issue is in IE and that the vulnerability
goes away when you update IE with the update in the bulletin to which I
referred you several times.

   And despite your repetition, WMP does not support a system wide
interpreter or otherwise.  There is something that sometimes is called
script, sometimes events, and other names.  The mechanism allows
applications hosting the Windows Media control to define their own events
which they include in their media and handle those events any way they see
fit.  There are some standard ones that the player supports.  That's about
as close to scripting as it gets.  None has any relevance to the IE
navigation issue that is fixed by the security bulletin to which I have
referred you several times.

   Again, you can keep trying to spin this until you are blue in the face.
It won't make it so.

Rich

  "Geo."  wrote in message
news:3e2a1253{at}w3.nls.net...
  Ok, I make typo's too. Regardless of whether it's an html file or not the
  extension is .asf which means it's media player that runs it. Does it
really
  matter if media player uses some shared components to enable it's
scripting?
  I mean when the asx file is executed it's pointing to a asf file and the
  extension is associated with media player so it's media player that opens
  that asf file, yes?

  Understand, all I'm saying is that media player supports scripting, I
don't
  think it matters that it uses a system wide scripting interpreter because
  that doesn't change the fact that it's media player kicking it off.

  Geo.

  "Rich"  wrote in message news:3e2a0a28$1{at}w3.nls.net...
     Sorry.  A typo.  No difference.  There is no script in either.

     Why don't you just read the original report which you went to the
trouble
  to find but not read.  The script in the report is in an HTML file.  That
is
  the key component of this scenario and if you install the IE update to
which
  I referred you without making any change to WMP you would find that you
  could not reproduce this.

  Rich

    "Geo."  wrote in message
news:3e29f66b{at}w3.nls.net...
    You don't even know what's going on in the message you are replying to,
    please point out where I said anything about a script in an asx file.
  (it's
    right below, should be easy to find)

    Geo.

    "Rich"  wrote in message news:3e29da5b$1{at}w3.nls.net...
       No.  I know exactly what is going on not just because I actually read
  the
    original posting but also because I understand it.  Despite your
continued
    lies, there is no script in ASX files and WMP doesn't execute any script
  in
    the scenario given in the report.  You can continue to say otherwise
until
    you are blue in the face but it will not make it so.

    Rich

      "Geo."  wrote in message
news:3e29bf95$1{at}w3.nls.net...
      "Rich"  wrote in message news:3e29abfb$1{at}w3.nls.net...
      >   First, ASX files have no script.  Never have.  Are you going to
    continue
      to lie to try to support your false claims?

      >>  the asx file is basically the same thing as a shortcut
      >> the asf file has a script section in it which media player happily
      executes,

      Are you fucking blind?

      Geo.

--- BBBS/NT v4.01 Flag-4