From: "Geo." 

It is part of the asf file that media player loads after finding a pointer
to it in the asx file.

Geo.

"Rich"  wrote in message news:3e2f54b9{at}w3.nls.net...
   More lies.  This is in an HTML file that WMP never sees.  It's loaded by
IE in the scenario described in the original report.

   Why don't you even bother to read the stuff you post?

Rich

  "Geo."  wrote in message
news:3e2f3b49$1{at}w3.nls.net...
  This section in the asf file that WMP reads:

  
   
  function malware(){
 
alert("malware");location=("file://C%3A%5CMy%20Documents%5CMy%20Music%
  5CVirtual%20Albums%5Cmalware%5Cf ck.asx%20.")
   }
    


  Geo.

  "Robert G Lewis"  wrote in message
  news:3e2ecc9b{at}w3.nls.net...
  What is causing the pages to load in IE so the script can be ran ?

  Bob Lewis

    "Rich"  wrote in message news:3e2eca1f{at}w3.nls.net...
       Their you go with lies again.  There is no script being run by WMP.
  All the script in these examples is in web pages that are opened in IE.

    Rich

      "Geo."  wrote in message
news:3e2e7cbc{at}w3.nls.net...
      I beg to differ, since WMP is being used to execute code that the
hacker
      wrote, by definition there is an exploit in WMP. You of course are
free
  to
      call it a feature if you like.

      Geo.

      "Rich"  wrote in message news:3e2e16e9{at}w3.nls.net...
         Obviously you do not understand.  There is no exploit in WMP in
  either
      case.  Maybe you want to argue that the HTTP protocol is still
unpatched
      because all exploits in all browsers involving a web site require HTTP
  and
      when HTTP is disabled none of these exploits work.

      Rich

        "Geo."  wrote in message
  news:3e2df83a$1{at}w3.nls.net...
        I understand what you are saying but the wimpy exploit is not
patched
  is
      it?
        What was patched was stage 2 of the hack (and maybe stage 3). The
  media
        player exploit that's used to kick it off is still functional even
  after
      you
        patch IE.

        Geo.

        "Rich"  wrote in message news:3e2ccb3f$1{at}w3.nls.net...
           I know exactly which report it was to which you referred.  You
  included
      a
        copy earlier.  Note that this one references the earlier whimpy
  report.
      The
        two are distinct reports.  Look at the dates.  They are a year
apart.
      Also,
        the report to which you refer starts out with a clear statement that
  it is
        just another scenario trying to exploit problems reported earlier.
  While
        both try to implicate WMP the only connection to WMP is that it is
  used as
        one step in a complex sequence.  Also true of both cases is that IE
is
  the
        significant component.  It's not just that IE was patched, but the
the
      root
        of the vulnerability is with IE which is what it was changed.  It's
  not
      with
        everything that is used in the complex scenario.  If you follow that
      logic,
        all these are vulnerabilities in the HTTP protocol because the HTTP
      protocol
        is used in all of these and if you disable the HTTP protocol system
  wide
        then the vulnerabilities disappear.  That is the logic you tried
  earlier,
        albeit incorrectly, with scripting.  It simply does not satisfy the
  rules
      of
        logic.

        Rich

          "Geo."  wrote in message
  news:3e2c9cbd$1{at}w3.nls.net...
          Rich,

          I value your knowledge about IE, but I don't see us agreeing on
  this.
      Here
          is a link to the original writeup

          http://lists.insecure.org/lists/bugtraq/2002/Aug/0316.html

          In that link just before step one he says it's a combination of
  several
          exploits the one that's used to kick it off is the wimpy exploit
of
      media
          player, he even links to it in his post
      http://www.malware.com/wimpy.html
        so
          we have the exploit author, the guy who discovered wimpy and me
  saying
        it's
          a media player exploit and you and MS saying it's an IE exploit.
  What
        makes
          his hack unique is the way in which he uses wimpy to control IE
        components.

          I think the difference in our viewpoints is because you are coming
  at it
          from the patch side and I'm coming at it from the hack side. You
see
  it
      as
          being patched from IE, I see it as being exploited from Media
  player.

          Geo.

          "Rich"  wrote in message news:3e2c354a$1{at}w3.nls.net...
             Actually, it's an IE issue.  There was one IE issue which these
  folks
          reported several distinct paths to the same issue as if they are
      different
          issues.  In any case, if you go back and read this thread you
posted
  a
          different issue.  Try to read your own posts.  In any event, both
  are IE
          issues.

          Rich

--- BBBS/NT v4.01 Flag-4