mailing list archives
Re: Internet Explorer Code Execution Bypass Vulnerability
From: <cmthemc () yahoo com>
Date: 19 Dec 2004 20:47:06 -0000
In-Reply-To: <20041217170337.26668.qmail () www securityfocus com>
I'm a little bit confused as to why you would classify this as a "vulnerability" -- or even relate it to internet
explorer at all... I think you have confused the simple html parsing of Active Desktop with microsoft internet
explorer... however, what you have listed as an "avoid/overrun/bypass" to the "new protection(?)" on "IE (winxp sp2)",
is neither an avoid, overrun, or bypass. When the html with js code is executed from within ie, sp2 still performs its
magic. I'm afraid this was a weak attempt to get your name on the board.
Last week I discovered a vulnerability to avoid/overrun/bypass the new protection for Local JS Execution on IE (winxp
(Copy and paste into your Notepad and save it as EXAMPLE.HTM)
If you open EXAMPLE.HTM, your IE blocks this code and shows a yellow bar over the webpag.
But I discovered a vulnerability to allow Local JS Code to execute on IE, the exploit is:
"Go to Control Panel / Display Config and set as the desktop background the example webpage (EXAMPLE.HTM), once this
is done, the code will be executed without showing any warning in IE"
My Webpag: www.madantrax.cjb.net
My ClanWeb: www.darknessteam.com