Bugtraq mailing list archives
IE5 ActiveX security bug
From: feenix () IQS FI (Sami Kuhmonen)
Date: Sun, 1 Aug 1999 21:21:40 +0300
There is a severe bug in Internet Explorer 5's security system concerning ActiveX components on web pages. If you go to a web page that has an evil ActiveX component (for example, the component shuts down Windows) and tell IE to run the component, of course it runs it. After that you know that you do not want to run that component. But what happens when you go to that page later? IE5 asks whether you want to run this component or not. Say no, and it still runs it! So all it takes is one little mistake to run the component and it will be run every time you go to a page with that component. And think what will happen, if the component doesn't do its damage the first time, but the second time or later. Even if you don't want to run it, it will be run. And it might not even be shown on the screen. -- Sami Kuhmonen | sami () iqs fi | http://feenix.iqs.fi/ iQs Partners Finland | iqs () iqs fi | http://www.iqs.fi/ !!Webhotellit ilman avausmaksua!! | http://www.saitti.net/ * Tutustu verkkokauppaan! | http://kauppa.iqs.fi/ *
Current thread:
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Jul 31)
- <Possible follow-ups>
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Steve Birnbaum (Aug 03)
- IE5 ActiveX security bug Sami Kuhmonen (Aug 01)
- Re: IE5 ActiveX security bug Adam H. Pendleton (Aug 03)
- Re: IE5 ActiveX security bug Hakeem Shittu (Aug 03)
- Fwd: [SECURITY] New version of samba released Chris Ruvolo (Aug 01)
- midnight commander vulnerability(?) (fwd) coda (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Sean Boyle (Aug 02)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 03)
- Re: FW-1 DOS attack: PART II Leif Sawyer (Aug 03)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 05)
