IP: YAMSB Yet another MS security bo-bo

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Tom Van Vleck <thvv () multicians org>
Date: Mon, 4 Mar 2002 12:12:09 -0500
To: farber () cis upenn edu

Hi Dave,
Have you seen the latest MSIE and Outlook virus on
The Register? 

http://www.theregus.com/content/4/24206.html

"An attacker can run arbitrary commands on Windows machines
with a simple bit of HTML, an Israeli security researcher
has demonstrated. The exploit will work with IE, Outlook
and Outlook Express even if active scripting and ActiveX
are disabled in the browser security settings."

Happens with MSIE 5.5+ only according to Bugtraq.
It uses a feature called "data binding" that interprets
the content of a data field as HTML in the local security
zone.  The article presents a code snippet that anyone
could copy and edit to launch any program, if they know
the pathname of it on the target machine.  Luckily it
appears the attacker can't pass an argument to the program,
so can't say "format c:".



------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/