[22969] in bugtraq
Re: Javascript in IE may spoof the whole screen
daemon@ATHENA.MIT.EDU (Miguel Angel Rodriguez Jodar)
Tue Oct 23 18:50:26 2001
Date: Tue, 23 Oct 2001 22:23:40 +0100 (GMT+0100)
From: Miguel Angel Rodriguez Jodar <rodriguj@atc.us.es>
To: Julian Hall <jules@acris.co.uk>
Cc: guninski@guninski.com, Bugtraq <BUGTRAQ@securityfocus.com>
In-Reply-To: <3BD5AEBA.246991BF@acris.co.uk>
Message-ID: <Pine.OSF.4.10.10110232221560.7083-100000@icaro.fie.us.es>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Actually, both examples work. At least on MSIE 6.0 under Windows 98SE. The
original message states that vulnerable systems are IE 5.5 and later...
--
Miguel Angel Rodriguez Jodar | http://icaro.fie.us.es
Area de Arquitectura y Tecnologia de Computadores
Universidad de Sevilla
On Tue, 23 Oct 2001, Julian Hall wrote:
>
>
> Georgi Guninski wrote:
>
> > Georgi Guninski security advisory #50, 2001
> >
> > Javascript in IE may spoof the whole screen
> >
> > Systems affected:
> > IE 5.5/6.0 on Windows, probably earlier versions
>
> [...]
>
> >
> > Demonstration:
> >
> > Image moving over download/open dialog:
> > http://www.guninski.com/opf2.html
> > BSOD emulation:
> > http://www.guninski.com/bsod1.html
>
> Neither of these demonstrations function correctly in IE 5.0; they produce script
> error message boxes, reporting that the 'object does not support the requested
> method'. I don't know whether that means IE 5.0 isn't vulnerable or not...
>
>
>
