Sami Kuhmonen wrote:
> There is a severe bug in Internet Explorer 5's security system concerning
> ActiveX components on web pages.
>
> If you go to a web page that has an evil ActiveX component (for example,
> the component shuts down Windows) and tell IE to run the component, of
> course it runs it. After that you know that you do not want to run that
> component. But what happens when you go to that page later? IE5 asks
> whether you want to run this component or not. Say no, and it still runs
> it!
I tested this feature on a Win98 box with the strict security setting and
could not reproduce this. Except for the repeated requests to install/run
the control. Particularly tested was the portion where you say 'no' and it
still runs it. Could it be possible that you had already said a prior 'yes'
and the control was now cached on your system?
Additionally, it has never been a good idea to run a control without the
appropriate digital signature.
Fl_at_w
The aim is to showcase their The aim is to showcase their fl_at_w's
and not to xpl0it them. - wise 'ol man with a crystal ball and a serpent
snake
Received on Aug 04 1999
Intro
