[VIM] CVE-2000-0105 / BID 962 and CVE-2000-0653 / BID 1502 - dupes i think
jericho at attrition.org
Wed Oct 28 19:18:13 UTC 2009
I believe the entries in the subject line are dupes. There is no obvious
direct cross-reference between them to easily establish this, however the
nature of the bug and timeline suggests they are.
CVE-2000-0105 / BID 962 = Bugtraq post and BID ref. Advisory from Guninski
detailing using active scripting to "allow reading subsequently opened
email messages after a hostile message is opened" on 2000-02-01
CVE-2000-0653 / BID 1502 = MS bulletin and BID ref. MS advisory on
2000-07-20 detailing using script to create a persistent link to "retrieve
the text of mails subsequently displayed in the preview pane, and relay it
to the malicious user."
MS will not credit a researcher who doesn't play nice as you know, so
their advisory would not reference Guninski. Further, they do not give
credit to another researcher and the time after original disclosure is in
keeping with a MS investigation and patch release.
Based on the wording of each advisory, I believe these are dupes. If they
aren't, I would imagine the latter is a variation of the first attack.
More information about the VIM