Sign up for a new account or log in here:
also @ TechSpot: Oculus Rift secures $16 million in Series A round of funding
Home › News › Industry News
Script Injection to Custom HTTP Errors in Local Zone
Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.).
Discussion: We found that the above-mentioned parsing procedure has a flaw in it that may cause arbitrary script commands to be executed in the Local Zone. Leading to potential arbitrary commands execution, local file reading & other severe consequences. However, Exploiting this procedure requires user-interaction. The user must click the URL presented to it by the resource for the malicious code to execute.
Solution: Microsoft was notified on 20-Feb-2003. They were able to reproduce this on IE6 Gold & all versions below it. We managed to reproduce it on all versions, including IE6 SP1, with no exceptions. They plan to fix this flaw in a future service pack.
Would you like to know more?
Most Popular
| Trending | Featured |
Subscribe to TechSpot
Get free exclusive content, learn about new features and breaking tech news.