RE: Rather large MSIE-hole

["Tiago Halm" <thalm () hotmail com>]

After a little testing over this MSIE hole I believe IE has (in this matter) 
two flaws.

1º: There is an obvious bug in the HTML OBJECT tag rendering process

The HTML code can even be written like
<OBJECT NAME='X' CLASSID='CLSID:aaaaaaaa' 
CODEBASE='file://c:\windows\system32\cmd.exe'></OBJECT>

As you see the CLASSID only needs the first 8 hexadecimal values.
The CODEBASE can be any pluggable protocol like file: ftp: res: http: about:


2º: A popup window doesn't run within the browser security settings

If you try the above code in a normal HTML page like:

<html>
<body>
<OBJECT NAME='X' CLASSID='CLSID:aaaaaaaa' 
CODEBASE='file://c:\windows\system32\cmd.exe'></OBJECT>
</body>
</html>

The ActiveX control being downloaded is treated like an unsigned ActiveX 
control. If you then go to the security settings of your browser and set the 
"download unsigned ActiveX controls" option to "prompt" then you'll get a 
warning message saying "Authenticode signature not found" and asking you to 
choose what to do.
This behavior should ocurr when the popup window is shown and it's HTML code 
rendered.


Finally, when I tried to run "Event Viewer" as

<OBJECT NAME='X' CLASSID='CLSID:aaaaaaaa' 
CODEBASE='file://c:\windows\system32\eventvwr.exe'></OBJECT>

The event viewer seems to receive a parameter "Program" because before 
showing the Event Viewer MMC, it states the following:

-------------------------------------------------------------
Unable to connect to the computer "Program". The error was:

The network path was not found.
-------------------------------------------------------------

It's rather strange...

Tiago Halm

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx