[11228] in bugtraq
Re: [New ActiveX security problems in Windows 98 PCs]
daemon@ATHENA.MIT.EDU (McKay)
Tue Aug 3 04:14:10 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <19990802165640.26042.qmail@wwcst212.netaddress.usa.net>
Date: Mon, 2 Aug 1999 11:56:40 CDT
Reply-To: McKay <seanmckay@NETSCAPE.NET>
From: McKay <seanmckay@NETSCAPE.NET>
X-To: "David N.Murray" <dmurray@JSBSYSTEMS.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
"David N. Murray" <dmurray@JSBSYSTEMS.COM> wrote:
> What can computer manufacturers and software companies do about the
> problem
> of security holes in pre-installed ActiveX controls? As it turns out,
> Internet Explorer 5 already offers a great solution. IE5 supports a new
> feature called HTML applications (or .HTA files). An HTML Application
> is
> built like a Web page but can only be loaded and execute from the hard
> drive. Because an .HTA file comes from the local drive and not the
> Internet, scripts on the page are a completely trusted and are allowed
> to
> use all ActiveX controls installed on a system whether the controls are
> marked safe or not. For an HTML application, none of its private
> ActiveX
> controls have to marked safe for scripting and therefore the controls
> cannot
> be misused on Web pages.
>
I hate to burst your bubble, but .HTA files can come from the Internet. When
an IE4 or IE5 browser encounters a .HTA file on the Internet, it prompts with
a typical open/save dialog box.
If you tell the dialog to open it, it runs on your system with fully trusted
permissions (i.e. no security).
For an example of a .HTA from the Internet go to...
http://msdn.microsoft.com/workshop/essentials/versions/Ie5hta.asp
and look for a link on the page with the text:
"Here's how this simple HTA looks".
McKay
____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
