[11266] in bugtraq
Re: IE5 ActiveX security bug
daemon@ATHENA.MIT.EDU (Adam H. Pendleton)
Thu Aug 5 10:10:45 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000901beddde$cb6e3c30$bdd0be80@belvoir.army.mil>
Date: Tue, 3 Aug 1999 14:34:17 -0400
Reply-To: "Adam H. Pendleton" <apendleton@VGSINC.COM>
From: "Adam H. Pendleton" <apendleton@VGSINC.COM>
X-To: sami@iqs.fi, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Assuming that this would apply to non-malicious ActiveX controls, I can not
reproduce this condition with IE 5 on Windows NT. I have set the ActiveX
setting to "Prompt.." and went to http://www.microsoft.com/mscorp/. The
first time, I selected "Yes", and the virtual tour picture activated. I
closed IE5, went back to the page, selected no, and it did NOT run. Even
going back to the page, I was still prompted, and could not get the control
to run again without selecting yes. Perhaps this is a unique case, or a
caching issue.
Adam
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Si hoc legere scis nimium eruditionis habes.
----- Original Message -----
From: Sami Kuhmonen <feenix@IQS.FI>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Sunday, August 01, 1999 2:21 PM
Subject: IE5 ActiveX security bug
> There is a severe bug in Internet Explorer 5's security system concerning
> ActiveX components on web pages.
>
> If you go to a web page that has an evil ActiveX component (for example,
> the component shuts down Windows) and tell IE to run the component, of
> course it runs it. After that you know that you do not want to run that
> component. But what happens when you go to that page later? IE5 asks
> whether you want to run this component or not. Say no, and it still runs
> it!
>
> So all it takes is one little mistake to run the component and it will be
> run every time you go to a page with that component.
>
> And think what will happen, if the component doesn't do its damage the
> first time, but the second time or later. Even if you don't want to run
> it, it will be run. And it might not even be shown on the screen.
>
> --
> Sami Kuhmonen | sami@iqs.fi | http://feenix.iqs.fi/
> iQs Partners Finland | iqs@iqs.fi | http://www.iqs.fi/
> !!Webhotellit ilman avausmaksua!! | http://www.saitti.net/
> * Tutustu verkkokauppaan! | http://kauppa.iqs.fi/ *
