Bugtraq mailing list archives
Re: IE5 ActiveX security bug
From: hshittu () CAS ORG (Hakeem Shittu)
Date: Tue, 3 Aug 1999 15:03:18 -0400
Sami Kuhmonen wrote:
There is a severe bug in Internet Explorer 5's security system concerning ActiveX components on web pages. If you go to a web page that has an evil ActiveX component (for example, the component shuts down Windows) and tell IE to run the component, of course it runs it. After that you know that you do not want to run that component. But what happens when you go to that page later? IE5 asks whether you want to run this component or not. Say no, and it still runs it!
I tested this feature on a Win98 box with the strict security setting and could not reproduce this. Except for the repeated requests to install/run the control. Particularly tested was the portion where you say 'no' and it still runs it. Could it be possible that you had already said a prior 'yes' and the control was now cached on your system? Additionally, it has never been a good idea to run a control without the appropriate digital signature. Fl@w The aim is to showcase their The aim is to showcase their fl@w's and not to xpl0it them. - wise 'ol man with a crystal ball and a serpent snake
Current thread:
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Jul 31)
- <Possible follow-ups>
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Steve Birnbaum (Aug 03)
- IE5 ActiveX security bug Sami Kuhmonen (Aug 01)
- Re: IE5 ActiveX security bug Adam H. Pendleton (Aug 03)
- Re: IE5 ActiveX security bug Hakeem Shittu (Aug 03)
- Fwd: [SECURITY] New version of samba released Chris Ruvolo (Aug 01)
- midnight commander vulnerability(?) (fwd) coda (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Sean Boyle (Aug 02)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 03)
- Re: FW-1 DOS attack: PART II Leif Sawyer (Aug 03)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 05)