[26977] in bugtraq
RE: Who framed Internet Explorer and IE6 SP1
daemon@ATHENA.MIT.EDU (GreyMagic Software)
Tue Sep 10 13:43:41 2002
From: "GreyMagic Software" <security@greymagic.com>
To: "Bugtraq" <bugtraq@securityfocus.com>
Date: Tue, 10 Sep 2002 19:21:53 +0200
Message-ID: <LPBBLDGNEFOGMGAEHJPBIEOMCPAA.security@greymagic.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-reply-to: <007101c258e0$1c304800$858370d4@thor2k>
We received numerous emails asking whether the frames issue is (partially)
fixed in IE6 SP1 since the "Program execution" and "Local file reading"
demonstrations in our advisory did not function.
These demonstrations did not function because SP1 blocks links to res:// and
file:// URLs and not because Microsoft fixed the core vulnerability (this
could have been verified by running the first and second demonstrations).
We have now revised both demonstrations according to Thor's post, and it is
again possible to read local files and execute programs under IE6 SP1 as
well.
The advisory and demonstrations can be found at
http://sec.greymagic.com/adv/gm010-ie/.
>..Ironically, though, the fix itself opens up a way to circumvent this
>security measure. You can still open any file:// or res:// file
>automatically with
>
><object type="text/html" data="redirect.asp"></object>
