From: "Robert G Lewis" 

Geo I had meant to post to the group 

So a file being read by WMP will start IE and then execute something.That's
what I thought was going on.

I'm glad to know that WMP doesn't have a security problem though, Just
because it seems to start the ball rolling its not responsible 

Rich is there any way to forbid WMP from starting IE . I didn't notice
anything in its options.

Bob Lewis

"Geo."  wrote in message
news:3e2f3b49$1{at}w3.nls.net...
> This section in the asf file that WMP reads:
>
> 
>  
> function malware(){
>
alert("malware");location=("file://C%3A%5CMy%20Documents%5CMy%20Music%
> 5CVirtual%20Albums%5Cmalware%5Cf ck.asx%20.")
>  }
>   
>
>
> Geo.
>
> "Robert G Lewis"  wrote in message
> news:3e2ecc9b{at}w3.nls.net...
> What is causing the pages to load in IE so the script can be ran ?
>
> Bob Lewis
>
>   "Rich"  wrote in message news:3e2eca1f{at}w3.nls.net...
>      Their you go with lies again.  There is no script being run by WMP.
> All the script in these examples is in web pages that are opened in IE.
>
>   Rich
>
>     "Geo."  wrote in message
news:3e2e7cbc{at}w3.nls.net...
>     I beg to differ, since WMP is being used to execute code that the
hacker
>     wrote, by definition there is an exploit in WMP. You of course are
free
> to
>     call it a feature if you like.
>
>     Geo.
>
>     "Rich"  wrote in message news:3e2e16e9{at}w3.nls.net...
>        Obviously you do not understand.  There is no exploit in WMP in
> either
>     case.  Maybe you want to argue that the HTTP protocol is still
unpatched
>     because all exploits in all browsers involving a web site require HTTP
> and
>     when HTTP is disabled none of these exploits work.
>
>     Rich
>
>       "Geo."  wrote in message
> news:3e2df83a$1{at}w3.nls.net...
>       I understand what you are saying but the wimpy exploit is not
patched
> is
>     it?
>       What was patched was stage 2 of the hack (and maybe stage 3). The
> media
>       player exploit that's used to kick it off is still functional even
> after
>     you
>       patch IE.
>
>       Geo.
>
>       "Rich"  wrote in message news:3e2ccb3f$1{at}w3.nls.net...
>          I know exactly which report it was to which you referred.  You
> included
>     a
>       copy earlier.  Note that this one references the earlier whimpy
> report.
>     The
>       two are distinct reports.  Look at the dates.  They are a year
apart.
>     Also,
>       the report to which you refer starts out with a clear statement that
> it is
>       just another scenario trying to exploit problems reported earlier.
> While
>       both try to implicate WMP the only connection to WMP is that it is
> used as
>       one step in a complex sequence.  Also true of both cases is that IE
is
> the
>       significant component.  It's not just that IE was patched, but the
the
>     root
>       of the vulnerability is with IE which is what it was changed.  It's
> not
>     with
>       everything that is used in the complex scenario.  If you follow that
>     logic,
>       all these are vulnerabilities in the HTTP protocol because the HTTP
>     protocol
>       is used in all of these and if you disable the HTTP protocol system
> wide
>       then the vulnerabilities disappear.  That is the logic you tried
> earlier,
>       albeit incorrectly, with scripting.  It simply does not satisfy the
> rules
>     of
>       logic.
>
>       Rich
>
>         "Geo."  wrote in message
> news:3e2c9cbd$1{at}w3.nls.net...
>         Rich,
>
>         I value your knowledge about IE, but I don't see us agreeing on
> this.
>     Here
>         is a link to the original writeup
>
>         http://lists.insecure.org/lists/bugtraq/2002/Aug/0316.html
>
>         In that link just before step one he says it's a combination of
> several
>         exploits the one that's used to kick it off is the wimpy exploit
of
>     media
>         player, he even links to it in his post
>     http://www.malware.com/wimpy.html
>       so
>         we have the exploit author, the guy who discovered wimpy and me
> saying
>       it's
>         a media player exploit and you and MS saying it's an IE exploit.
> What
>       makes
>         his hack unique is the way in which he uses wimpy to control IE
>       components.
>
>         I think the difference in our viewpoints is because you are coming
> at it
>         from the patch side and I'm coming at it from the hack side. You
see
> it
>     as
>         being patched from IE, I see it as being exploited from Media
> player.
>
>         Geo.
>
>         "Rich"  wrote in message
news:3e2c354a$1{at}w3.nls.net...
>            Actually, it's an IE issue.  There was one IE issue which these
> folks
>         reported several distinct paths to the same issue as if they are
>     different
>         issues.  In any case, if you go back and read this thread you
posted
> a
>         different issue.  Try to read your own posts.  In any event, both
> are IE
>         issues.
>
>         Rich
>
>
>
>
>

--- BBBS/NT v4.01 Flag-4