homepage Welcome to WebmasterWorld Guest from 50.16.130.188
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
*another* severe IE security vulnerability found
can't wait 'till second Tuesday for MS to fix
amznVibe




msg:614277
 3:54 am on Aug 20, 2004 (gmt 0)

Here we go again, fully patched systems, even with SP2 allow this bug to slip through:

[secunia.com...]
The vulnerability is caused due to insufficient validation of drag and drop events issued from the "Internet" zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up.

Microsoft officially will only release patches every 2nd Tuesday of the month. That's almost a full 30 days away. Save yourself some pain, switch to FireFox, Opera, etc.

 

Hester




msg:614278
 9:32 am on Aug 20, 2004 (gmt 0)

Disgusting.


Solution:
Disable Active Scripting or use another product.

bill




msg:614279
 9:41 am on Aug 20, 2004 (gmt 0)

Is this the same as this one [webmasterworld.com]? I thought that one had been debunked?

Then again I don't use IE... ;)

amznVibe




msg:614280
 9:46 am on Aug 20, 2004 (gmt 0)

Nope it's a whole new one. And yes, it does affect sp2 patched PCs.

90%+ of IE's problems are because of OS integration and active-x. SP2 can't fix that.

MatthewHSE




msg:614281
 12:00 pm on Aug 20, 2004 (gmt 0)

Is it just my imagination, or is XP buggier than W2K? Somehow W2K doesn't seem to be getting as much attention as XP.

encyclo




msg:614282
 1:38 pm on Aug 20, 2004 (gmt 0)

Some Friday fun for IE users!

How to crash Internet Explorer (and therefore Windows) in 11 bytes!

Step 1:

Create a file with just the following markup, and save it as test.html (or whatever):

[b]<style>@;/*[/b]

Step 2:

Open the file in IE. Kaboom! That's all, folks. I think it still works in SP2, but I'm not sure.

Lord Majestic




msg:614283
 1:48 pm on Aug 20, 2004 (gmt 0)

What disgusts me is that you can't easily reinstall whole IE - after installing Microsoft VS 2003 it installed some patches to IE which completely stopped JavaScript from working even though its enabled. Tried to reinstall - complains newer version is installed, wont give option. Faking registry to make it believe its uninstalled (as Microsoft suggested) is not good enough.

After wasting few hours I moved to Firefox both at home and at work and feel no regrets.

Stefan




msg:614284
 1:51 pm on Aug 20, 2004 (gmt 0)

Yep, that's very effective, encyclo.

It's interesting to then open it in Firefox.... you get some gobbeldy-gook but it sure doesn't crash.

mattglet




msg:614285
 2:05 pm on Aug 20, 2004 (gmt 0)

encyclo-

Being an Opera user, that is absolutely hilarious. I saved the page on our dev server, and had a co-worker try it out.

"What the hell did you just do?"

Too funny.

isitreal




msg:614286
 5:51 pm on Aug 20, 2004 (gmt 0)

I ran that on IE 5.5 and it didn't do anything, oh well, guess it's an IE 6 thing? Glad I never switched to 6, I only use 6 for testing, on another platform.

Hester




msg:614287
 8:40 am on Aug 23, 2004 (gmt 0)

Why?

DrOliver




msg:614288
 9:37 am on Aug 23, 2004 (gmt 0)

I can't even save the file encyclo suggested. The moment I am saving it, off it goes. Nowhere to be found on the hard-drive. So I cannot even crash IE with it. The file disappears the moment I am saving it, without a chance of opening it in any application.

Funny. It doesn't even say goodbye when it does that. Just *poof* and gone. Well, actually, not even *poof*. Just gone.

benihana




msg:614289
 9:42 am on Aug 23, 2004 (gmt 0)

do you have AV software running?

as soon as i tried to save , McAfee deleted it.

Receptional Andy




msg:614290
 9:45 am on Aug 23, 2004 (gmt 0)

Why?

If the question was why does that code crash IE, then a pretty good explanation is here - [seclists.org...]

DrOliver




msg:614291
 9:52 am on Aug 23, 2004 (gmt 0)

do you have AV software running?

Yes, of course.

as soon as i tried to save , McAfee deleted it.

That might be it for me too.

StupidScript




msg:614292
 11:44 pm on Aug 23, 2004 (gmt 0)

Those of you who regret "updating" to IE6, or are having problems with some of the patches you've installed since "upgrading" can often do one of a couple of things to get back in the groove:

1) XP users can "rollback" their system to pre-IE-update condition and start over

2) In Add/Remove Programs, when you select IE to uninstall, it offers to "rollback" to the previous version, if you have kept the files required to do so...which you should always do for at least one generation of MS releases...just in case.

I know on several systems, installing the IE6 "upgrade" and then returning to windowsupdate produces lots of errors with the MS site. To fix it, you've got to do the "rollback" thing, install the rest of the security updates, set your security to low-medium, and THEN try the "upgrade". That usually works, for those who can't do without IE.

Very happy with Firefox, thenk ewe. I'll take modularity over integration in any situation where it is not absolutely necessary...and this is clearly one of those instances.

Adrian2k4




msg:614293
 7:48 pm on Aug 25, 2004 (gmt 0)

@encyclo

I tested it with IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 (note WinXP Pro SP2) and it didn't work.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved