[23697] in bugtraq
Re: IE GetObject() problems
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Fri Jan 4 11:40:59 2002
Message-ID: <3C35C49C.8EEA0FFB@guninski.com>
Date: Fri, 04 Jan 2002 17:05:00 +0200
From: Georgi Guninski <guninski@guninski.com>
Reply-To: guninski@guninski.com
MIME-Version: 1.0
To: Michael Fellows <mfellows@dot.state.ut.us>
Cc: Bugtraq <BUGTRAQ@securityfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
It works for me on default settings of IE 6.0/5.5/Win2K.
Note: AFAIK microsoft neither confirm nor deny it is bug,
the last I heard from them was they were investigating my report.
Georgi Guninski,
http://www.guninski.com
Michael Fellows wrote:
>
> I tested this with the following systems:
>
> Win2K, IE 6.0.2600.0000CO w/Q313675
> Win95, IE 5.50.4807.2300CO w/SP2
>
> IE gives an "Error: Automation server can't create object" error unless
> "Initialize and script ActiveX controls not marked as safe" is set to
> "Enable" in the "Local intranet" Zone. At which point the vulnerability
> as listed works.
>
> User intervention is required to enable this setting because default
> settings and settings provided via the "Reset custom settings" default to
> either "Disable" or "Prompt".
>
> Were you able to get past this setting? If not, then I don't see this as
> being too large of a threat.
>
> Thank you,
>
> Michael
>
> --
> Michael Fellows
> Utah Department of Transportation
> email: mfellows@dot.state.ut.us
> pgp key: 0x6D8C2EF7
>
