[33255] in bugtraq
Re: Windows XP Explorer Executes Arbitrary Code in Folders
daemon@ATHENA.MIT.EDU (Stuart Moore)
Mon Jan 26 16:12:27 2004
Message-ID: <40157413.7080901@securityglobal.net>
Date: Mon, 26 Jan 2004 15:09:55 -0500
From: Stuart Moore <smoore.bugtraq@securityglobal.net>
MIME-Version: 1.0
To: Thor Larholm <thor@pivx.com>, bugtraq@securityfocus.com
In-Reply-To: <00f601c3e43c$06799d70$6401a8c0@0xff>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Thor,
>Why don't we call a spade a spade?
You are rather humorous! But I can be humorous, too: why don't we call a folder a folder?
Seriously, though, the interesting part is indeed not the self execution and not the HTML
in Local zone. The more interesting part is the HTML file as folder. Considering that
the typical Microsoft OS user has no clue what a MIME type is (and, for that matter, does
not know what HTML is, and doesn't know about zones), do you think that having an HTML
file be announced by the operating system's GUI as a folder is a Good Thing or a Bad
Thing? I would suggest that it leans more towards Idiot Engineering (http-equiv's term)
than Trustworthy Computing (MS term).
Stuart
