OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: OBJECT TYPE="text/html" may allow executing arbitraryprogramsin IE 5.5
From: Jesper M. Johansson (jjohanssBU.EDU)
Date: Tue Nov 28 2000 - 14:11:17 CST

>You are right that setting "Run ActiveX Controls and Plug-Ins" to prompt
>or disable stops the demonstration.
>What I meant is that it stops <OBJECT TYPE="text/html"> and the
>following:
>> > 1) window.showHelp("c:\\dir\\hostile.chm")
>> > 2) <OBJECT CLASSID="clsid:000000000-0000-0000-00000-000000000002"
>may be in My Computer zone.

I'm not certain that I understand what you are saying here. Are you saying
that the window.showHelp() and/or <object classid="clsid:000... commands may
be executed from a page in the My Computer zone? That would only happen if
they are on a web-page that you have saved to your hard-drive and opened
locally. It would not even happen if you put them on a local web server and
access them as http://127.0.0.1/hostilepage.htm. Even 127.0.0.1 is in the
Internet Zone. The Temporary Internet Files folder is not strictly speaking
in the Internet Zone. However, if you open something stored there it will
execute in the security zone of the page where it originally came from,
which is mostly likely the Internet Zone.

Am I misunderstanding your statement? I think it is very important to get
this straight, since it would help people protect themselves against this
type of attack.

Jesper M. Johansson

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net