Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#127065 - 19/11/2002 13:28 DANGEROUS IE vunerability
leftyfb
enthusiast

Registered: 04/03/2002
Posts: 217
Loc: Lowell, MA
I'm sure most have already heard of this security hole in IE 55/6 or at least saw the article on /. today.

I just can't believe these things get by QA at M$.

I put up my little version of the example code here

--admin edit - URL removed


Edited by Drakino (19/11/2002 14:23)
_________________________
Mk2a 30GB Blue. Serial 030102999

Top
#127066 - 19/11/2002 13:48 Re: DANGEROUS IE vunerability [Re: leftyfb]
JBjorgen
carpal tunnel

Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
dare I click on that link?
_________________________
~ John

Top
#127067 - 19/11/2002 13:49 Re: DANGEROUS IE vunerability [Re: JBjorgen]
Laura
pooh-bah

Registered: 16/06/2000
Posts: 1682
Loc: Greenhills, Ohio
I wouldn't if I were you
_________________________
Laura

MKI #017/90

whatever

Top
#127068 - 19/11/2002 13:50 Re: DANGEROUS IE vunerability [Re: JBjorgen]
leftyfb
enthusiast

Registered: 04/03/2002
Posts: 217
Loc: Lowell, MA
you honestly think i'd post a link causing damage to the empeg community? I'd be hunted and mamed. Nah, it's just the help for format. But it can run ANY executable within your path variable on your machine.

I could post the code for it here if you like.
_________________________
Mk2a 30GB Blue. Serial 030102999

Top
#127069 - 19/11/2002 13:53 Re: DANGEROUS IE vunerability [Re: leftyfb]
JBjorgen
carpal tunnel

Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
There's no patch at the windows update site...any way to patch this hole up till there is?

Edit: I'd be interested in seeing that code too.


Edited by Meatballman (19/11/2002 13:54)
_________________________
~ John

Top
#127070 - 19/11/2002 13:56 Re: DANGEROUS IE vunerability [Re: JBjorgen]
leftyfb
enthusiast

Registered: 04/03/2002
Posts: 217
Loc: Lowell, MA
2) VENDOR STATUS:
==================
Microsoft was initially contacted 2002-10-04. After several mail
exchanges, their final response were that the technique used to run
programs with parameters from the "Local computer zone" was no security
vulnerability. A fix should instead be applied for all possibilities for
content in the "Internet zone" to access the "Local computer zone".

So basically M$ is saying it's not a hole. So I would assume no, no fix available.
_________________________
Mk2a 30GB Blue. Serial 030102999

Top
#127071 - 19/11/2002 13:58 Re: DANGEROUS IE vunerability [Re: JBjorgen]
robricc
carpal tunnel

Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
Looks like I'll be using Mozilla for a day or two....

--admin edit - Script removed


Edited by Drakino (19/11/2002 14:26)
_________________________
-Rob Riccardelli
80GB 16MB MK2 090000736

Top
#127072 - 19/11/2002 14:12 Re: DANGEROUS IE vunerability [Re: leftyfb]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Saw this in the Slashdot thread:

"Can it install Linux on the hard drive after it has formatted it?

You might think you're joking, but there would be no better way to get microsoft to quickly fix this than to create a web page that downloads a debian install floppy and starts up a network install :-)

User: Hmmm, my computer is acting subtly different, oh well...
MS: Oh no, we've lost another one!"
_________________________
Remind me to change my signature to something more interesting someday

Top
#127073 - 19/11/2002 14:21 Re: DANGEROUS IE vunerability [Re: leftyfb]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Although I know you intended no harm, and that the majority of the empeg community would treat this properly, I am scrubbing this thread of all references to the actual code to prevent it from turning up via a search in google or other places.

I personally think that posting exploit code for a vunerability that affects 90% or more of the internet browsing world is wrong. For the most part, people were at least decent enough to not reveal the exploit code for Windows XP (non service pack) that could do similar damage.

Top
#127074 - 19/11/2002 14:31 Re: DANGEROUS IE vunerability [Re: drakino]
leftyfb
enthusiast

Registered: 04/03/2002
Posts: 217
Loc: Lowell, MA
Sorry bout that. I posted it basically to give people an idea of the real implications of it. Some can't tell that just by looking at the code and some would just much rather prefer to click on the link to show them what it could do.

But I agree, probably for the best not to publicise it as much as possible (although can't get much worse than being on /.)
_________________________
Mk2a 30GB Blue. Serial 030102999

Top
#127075 - 19/11/2002 20:38 Re: DANGEROUS IE vunerability [Re: leftyfb]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Yeah, it's amazing how many deadly "great features" Windows decided to implement. Like Scrap files (.SHS files). They are totally worthless and are a vulnerability. And all this Internet Zoning stuff. What's the deal with that anyway? Like, if you run Windows Explorer on a 9x/ME box, why does the Local Computer Zone panel on the bottom take precidence over the filesize pane? Stupid.

Every bone in my body wants to spend the rest of my life recoding a trim-ware version of Windows with just the features that are needed. <waiting to get hit over the head with an obligatory "use linux" line, and I know I should just try it becauise I LOVE command line power!>
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top