|
Full Disclosure
mailing list archives
Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV
From: "Thor Larholm" <thor () pivx com>
Date: Fri, 2 Jan 2004 19:14:46 -0800
From: "morning_wood" <se_cur_ity () hotmail com>
running "malware.html" locally does produce the desired results, but then
again...
The exploit is intended and created to be run locally from a local security
zone - getting to a local zone in the first place requires other
vulnerabilities.
i can get any html to execute locally calling a remote location for the
code, as
long as its run from the local machine.
There are several steps involved in most of all IE command execution
exploits, some of these involve downloading and executing a file once you
are already in a local security zone. What http-equiv did was to simplify
that part of the process by using the Shell.Application object.
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
949-231-8496
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV, (continued)
RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV tlarholm (Jan 02)
RE: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV tlarholm (Jan 02)
Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV http-equiv () excite com (Jan 02)
Re: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV JacK (Jan 03)
| 
Intro
