Full Disclosure mailing list archives
Re: Re: [security] What A Click! [Internet Explorer]
From: Stuart Dunkeld <stuartd () gmail com>
Date: Fri, 27 Jan 2006 23:39:05 +0000
On 27/01/06, yossarian <yossarian () planet nl> wrote:
HTA runs applications from HTML documents. Like I mentioned, never broke anything in my experience. And yes, I sometimes develop stuff on this old windows box, including webstuff. HTA is a MS invention, Firefox has followed. But the main thing HTA has been, and IMHO will remain, is a security flaw.
FUD. HTAs are scripts which run outside the context of Internet Explorer's security model because they are hosted by mshta.exe. Firefox has nothing to do with it. Anyway, the fact that the payload of this PoC is an HTA is irrelevant: the user is fooled into clicking the Run dialog by the Agent overlay, and the payload could as eaily be any Windows executable. The advantage of an HTA in this situation, of course, is that the paranoid can inspect it to see exactly what it does: not so easily when a PoC drops booom.exe into your c: drive and executes it. You might be interested to know that Window's Add/Remove programs dialog is itself an HTA - paste res://appwiz.cpl/default.hta into IE6's address bar to see for yourself.
Never had an active scripting host, and that had also never had an adverse effect.
Scripting can be quite useful, in Windows just as any other OS.
'Everything web' includes worms, spyware and the like. Dunno, I prefer my web a bit cleaner. Sandboxing is possible, just like anything web, by running the browser in a citrix or terminal server box. They, being windows, based might be compromised as well, so maybe a better idea is to run a java based browser in a JVM and have it over with, use something like JREX or Opera. If corporate, you might prefer server side java.. Run the JVM on a tomcat or websphere on nix or even use the old big iron, open a sandboxed browser in a normal browser..... et voila, a sandboxed browser. Some say Tarantella might do the trick neatly, have not looked into that yet.
Why not just unplug your computer? Regards stuartd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- What A Click! [Internet Explorer] mikx (Jan 24)
- Re: [security] What A Click! [Internet Explorer] yossarian (Jan 26)
- Re: What A Click! [Internet Explorer] Robert Kim Wireless Internet Advisor (Jan 27)
- Re: [security] What A Click! [Internet Explorer] Lance James (Jan 28)
- Re: [security] What A Click! [Internet Explorer] yossarian (Jan 27)
- Re: Re: [security] What A Click! [Internet Explorer] Stuart Dunkeld (Jan 27)
- Re: [security] What A Click! [Internet Explorer] yossarian (Jan 26)