Re: Yet another reason not to use IE! Old news?

["Lise Moorveld" <lise_moorveld () hotmail com>]

Hi,

> Just visited a well known site (Wired.com) and had a nice little piece of 
> code cause the page that I was reading to go blank – DNS error page.
> Here’s the offending code (parentheses instead of slashes to not cause AV 
> scanning issues) and thank God I wasn’t using XP:
>
> ms-its:c:((windows(Help(iexplore.chm::)iegetsrt.htm

Correct me if I'm wrong, but the only thing this bit of code does is open
a local file taken from a local CHM file.

Jelmer mentioned this bit of code in his recent analysis:
http://62.131.86.111/analysis.htm

Apparently, the trick is that it is opened in the Local Computer Zone and
that, if you know a cross-zone scripting vulnerability, you can inject
malicious scripting code into the local file and have it executed in the
security context of the Local Computer Zone.

So what would be really interesting is finding the code in the banner that
performs the cross-zone scripting.

Also, in the analysis of Jelmer, the local file is opened using the
Location: header. I'm not sure what it means if a banner can alter
headers? Would it mean the banner server is compromised?

Any ideas anyone?

-- Lise

_________________________________________________________________
Hotmail en Messenger on the move 
http://www.msn.nl/communicatie/smsdiensten/hotmailsmsv2/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html