[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: IP: YAMSB Yet another MS security bo-bo
------ Forwarded Message From: Tom Van Vleck <thvv@multicians.org> Date: Mon, 4 Mar 2002 12:12:09 -0500 To: farber@cis.upenn.edu Hi Dave, Have you seen the latest MSIE and Outlook virus on The Register? http://www.theregus.com/content/4/24206.html "An attacker can run arbitrary commands on Windows machines with a simple bit of HTML, an Israeli security researcher has demonstrated. The exploit will work with IE, Outlook and Outlook Express even if active scripting and ActiveX are disabled in the browser security settings." Happens with MSIE 5.5+ only according to Bugtraq. It uses a feature called "data binding" that interprets the content of a data field as HTML in the local security zone. The article presents a code snippet that anyone could copy and edit to launch any program, if they know the pathname of it on the target machine. Luckily it appears the attacker can't pass an argument to the program, so can't say "format c:". ------ End of Forwarded Message For archives see: http://www.interesting-people.org/archives/interesting-people/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC