Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: [security] What A Click! [Internet Explorer]
From: Stuart Dunkeld <stuartd () gmail com>
Date: Fri, 27 Jan 2006 23:39:05 +0000

On 27/01/06, yossarian <yossarian () planet nl> wrote:

HTA runs applications from HTML documents. Like I mentioned, never broke
anything in my experience. And yes, I sometimes develop stuff on this old
windows box, including webstuff. HTA is a MS invention,  Firefox has
followed. But the main thing HTA has been, and IMHO will remain, is a
security flaw.


FUD. HTAs are scripts which run outside the context of Internet
Explorer's security model because they are hosted by mshta.exe.
Firefox has nothing to do with it.

Anyway, the fact that the payload of this PoC is an HTA is irrelevant:
the user is fooled into clicking the Run dialog by the Agent overlay,
and the payload could as eaily be any Windows executable. The
advantage of an HTA in this situation, of course, is that the paranoid
can inspect it to see exactly what it does: not so easily when a PoC
drops booom.exe into your c: drive and executes it.

You might be interested to know that Window's Add/Remove programs
dialog is itself an HTA - paste res://appwiz.cpl/default.hta into
IE6's address bar to see for yourself.

 Never had an active scripting host, and that had
also never had an adverse effect.

Scripting can be quite useful, in Windows just as any other OS.

'Everything web' includes worms, spyware and the like. Dunno, I prefer my
web a bit cleaner. Sandboxing is possible, just like anything web, by
running the browser in a citrix or terminal server box. They, being windows,
based might be compromised as well, so maybe a better idea is to run a java
based browser in a JVM and have it over with, use something like JREX or
Opera.  If corporate, you might prefer server side java.. Run the JVM on a
tomcat or websphere on nix or even use the old big iron, open a sandboxed
browser in a normal browser.....  et voila, a sandboxed browser. Some say
Tarantella might do the trick neatly, have not looked into that yet.


Why not just unplug your computer?

Regards

stuartd
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]