From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_005C_01C2C55D.F8230430
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   Except for a bug that would be a vulnerability in its own right, not =
unless you persuade the user to take an action against his own interest =
and click on a link to open such a page.  It's not like this is =
difficult.  Look at all the folks that happily opened EXEs sent as =
attachments after ignoring the warning that it is dangerous to do this.

Rich

  "Geo."  wrote in message =
news:3e348290$1{at}w3.nls.net...
  Hmm.. could you fire up IE to go get the media player file from an =
email
  (extending the process ).

  Geo.

  "Rich"  wrote in message news:3e342f8f$1{at}w3.nls.net...
     Couldn't be email as you can't play an ASF file with the background =
sound
  tags.  If you could then there would be an issue.  There isn't though.

  Rich

    "Geo."  wrote in message =
news:3e3419e4$1{at}w3.nls.net...

    "Rich"  wrote in message news:3e335e3e{at}w3.nls.net...
    >   The process starts with the user opening a web page just as the =
report
    you posted claims.

    Ok, granted the exploit is described as requiring someone to go to a =
web
    page first but since (imo) it's being kicked off by playing a media =
file
  it
    could just as easily have been an email (using the technique I used =
in
  this
    group to autoplay midi files). There is no requirement to have the =
user do
    anything with IE, it can be done with OE reading email or news as =
well.

    I'll reply in a new thread to another piece of your post that I =
would like
    to discuss further. I'm going to separate it from this thread in an
  attempt
    to untie the issue from what we are discussing here.

    Geo.



------=_NextPart_000_005C_01C2C55D.F8230430
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   Except
for a bug that =
would be a=20
vulnerability in its own right, not unless you persuade the user to take = an=20
action against his own interest and click on a link to open such a =
page. =20
It's not like this is difficult.  Look at all the folks that =
happily opened=20
EXEs sent as attachments after ignoring the warning that it is dangerous = to do=20
this.
 
Rich
 

  "Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote=20
  in message news:3e348290$1{at}w3.nls.net...Hmm..=20
  could you fire up IE to go get the media player file from an=20
  email(extending the process
<g>).Geo."Rich"=20
  <{at}> wrote in message news:3e342f8f$1{at}w3.nls.net...=
  =20
  Couldn't be email as you can't play an ASF file with the background=20
  soundtags.  If you could then there would be an
issue.  =
There=20
  isn't though.Rich 
"Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote in =
message news:3e3419e4$1{at}w3.nls.net...=
 =20
  "Rich" <{at}> wrote in message news:3e335e3e{at}w3.nls.net...&nbs=
p;=20
  >   The process starts with the user opening a web page =
just as=20
  the report  you posted
claims.  Ok, granted the =
exploit=20
  is described as requiring someone to go to a web  page first =
but=20
  since (imo) it's being kicked off by playing a media =
fileit =20
  could just as easily have been an email (using the technique I used=20
  inthis  group to autoplay midi files). There is no =
requirement to=20
  have the user do  anything with IE, it can be done with OE =
reading=20
  email or news as well.  I'll reply in a new
thread to =
another=20
  piece of your post that I would like  to discuss further. I'm =
going=20
  to separate it from this thread in
anattempt  to untie =
the issue=20
  from what we are discussing here. =20
Geo.

------=_NextPart_000_005C_01C2C55D.F8230430--

--- BBBS/NT v4.01 Flag-4