[11626] in bugtraq
Re: IE5 allows executing programs
daemon@ATHENA.MIT.EDU (David LeBlanc)
Wed Sep 1 05:24:42 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19990830094747.009ffdd0@mail.mindspring.com>
Date: Mon, 30 Aug 1999 09:47:47 -0700
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: SysAdmin <SysAdmin@SASSPRODUCTIONS.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NDBBJHJLCKGHBILJGOJDAEANCAAA.SysAdmin@sassproductions.com>
At 04:24 PM 8/29/99 -0400, SysAdmin wrote:
>Now watch as I modify this to destroy Regedit 32
That's only if the user has write permissions to regedt32. In terms of
causing the OS to crash, NT won't let you overwrite system binaries that it
is using at the moment. Something else smart to do (at least under win2k)
is to use RunAs to run your browser under a lower privileged user than normal.
<snip really scary horror story - too bad Godzilla isn't in it>
>Has anyone figure out if an arbitrary binary could be executed?
George made that pretty clear. I'll leave the details as an exercise to
the reader. Safest thing to do is get the patch and set your system to
prompt you when something wants to script one of your ActiveX controls.
The problem here isn't so much ActiveX (which is really just equivalent to
a plug-in), but the fact that it can be scripted, and that the control
itself is responsible for announcing whether it is safe for scripting.
>Also, I understand outlook executes this code immediatley, is
>it possible that this same code could cause someone's system to crash merely
>by opening the E-Mail?
This depends on how you have Outlook set up. Outlook 2000 allows you to
set your e-mail viewing zone to anything you like. Mine is set to
Untrusted Zone, which has nearly everything set to either off or prompt.
BTW, even default Untrusted Zone isn't untrusted enough for me, so a review
of what the actual settings are is probably in order. I also like to set
all sorts of stuff to 'prompt' so that it doesn't ignore potential attacks.
Then I can take whatever action seems appropriate toward the site that is
doing rude things >8-)
Maybe it is just me, but DoS-ing end-users really seems about on par with
beating up elementary school kids for their lunch money.
David LeBlanc
dleblanc@mindspring.com
