RE: Who framed Internet Explorer and IE6 SP1

["GreyMagic Software" <security () greymagic com>]

We received numerous emails asking whether the frames issue is (partially)
fixed in IE6 SP1 since the "Program execution" and "Local file reading"
demonstrations in our advisory did not function.

These demonstrations did not function because SP1 blocks links to res:// and
file:// URLs and not because Microsoft fixed the core vulnerability (this
could have been verified by running the first and second demonstrations).

We have now revised both demonstrations according to Thor's post, and it is
again possible to read local files and execute programs under IE6 SP1 as
well.

The advisory and demonstrations can be found at
http://sec.greymagic.com/adv/gm010-ie/.

> ..Ironically, though, the fix itself opens up a way to circumvent this
> security measure. You can still open any file:// or res:// file
> automatically with
>
> <object type="text/html" data="redirect.asp"></object>