RE: MS 3/28/02 Security Patch for IE6 - warning!

[the Pull <osioniusx () yahoo com>]

--- Eric <ews () tellurian net> wrote:
> Theregister was running the script locally - in the
> myComputer zone.  If 
> you host the malicious html on a webpage, etc. then
> the patch does indeed 
> prevent the execution of code.

The object tag has always been able to run from My
Computer in this manner. I use it for testing zone
problems, which is how it was originally discovered.
This was the original assessment of the bug and the
reason why the potential was there for something
nastier.

from Microsoft (
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-015.asp
)

"In certain instances, IE incorrectly reckons these
objects as being part of the Local Computer zone, even
though the page itself is in a different zone, such as
the Internet zone. Because the Local Computer zone is
less restrictive than other zones, this can allow the
web page to run executables on the local system
without prompting."

from my addendum advisory (
http://groups.google.com/groups?q=pop-up+group:bugtraq&hl=en&selm=bugtraq/20020116183201.24698.qmail%40web12507.mail.yahoo.com&rnum=1
) :->

"The object is being executed in My Computer
security zone, ie, the codebase problem is a Microsoft
"feature", it just should only work in My Computer
Zone -- not remotely. "

Then I went on to explain why that is bad and
potentially exploitable.

<snip>

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/