[VIM] CVE-2000-0105 / BID 962 and CVE-2000-0653 / BID 1502 - dupes i think

security curmudgeon jericho at attrition.org
Wed Oct 28 19:18:13 UTC 2009

I believe the entries in the subject line are dupes. There is no obvious 
direct cross-reference between them to easily establish this, however the 
nature of the bug and timeline suggests they are.

CVE-2000-0105 / BID 962 = Bugtraq post and BID ref. Advisory from Guninski 
detailing using active scripting to "allow reading subsequently opened 
email messages after a hostile message is opened" on 2000-02-01

CVE-2000-0653 / BID 1502 = MS bulletin and BID ref. MS advisory on 
2000-07-20 detailing using script to create a persistent link to "retrieve 
the text of mails subsequently displayed in the preview pane, and relay it 
to the malicious user."

MS will not credit a researcher who doesn't play nice as you know, so 
their advisory would not reference Guninski. Further, they do not give 
credit to another researcher and the time after original disclosure is in 
keeping with a MS investigation and patch release.

Based on the wording of each advisory, I believe these are dupes. If they 
aren't, I would imagine the latter is a variation of the first attack.

More information about the VIM mailing list