Macinosh IE file execuion vulerability

[Jass Seljamaa <jass () email isp ee>]

-------------------------------------------------
This mail sent through IMP: email.isp.ee


Problem:
Malicious webmaster can execute files, if the victim is 
using Internet Explorer 5.

Affected versions:
IE 5.0, probably earlier, on Classic systems(below OS X)

Description:

If you know the file path you can execute watever you want. What makes it 
difficult is that macintosh hard drives have different names, just like 
folders, not like on Windows - you can refer to the HD by typing c:\.
On OS 9(and above) there are a bunch of AppleScripts called 'speakable items',

which are made to make your life easier. They can be used for example to shut 
down the macintosh*, change the resolution, put computer to sleep(a energy-
saving mode), close this window, close all windows etc. The default HD name is 
Macintosh HD(all systems I can remember). On OS 9(with the default 
configuration) the speakable item named Put Computer To Sleep lies in Macintosh

HD:System Folder:Speakable Items:Put Computer To Sleep.

* - Asks for confirmation.

Exploit:


<META HTTP-EQUIV="refresh" CONTENT="1; 
URL=file:///Macintosh%20HD/System%20Folder/Speakable%20Items/Put%20Computer%20To%20Sleep">

This will blank the screen and spin down hard disk(s). 

Vendor:
I contacted Microsoft 2 months ago, they did not reply. 



Jass Seljamaa,
jass () isp ee
GSM: +3725212242