Internet Explorer Pop-Up OBJECT Tag Bug

[the Pull <osioniusx () yahoo com>]

Internet Explorer Pop-Up OBJECT Tag Bug

Class: Failure to Handle Exceptional Conditions
Remote: Yes
Local: Yes
Found: January 10, 2001
Severity: Moderate
Vulnerable: IE 6.0.2600.0000
+ Windows 2000 Update Versions: Q312461;
Q240308;Q313675




Discussion: The PopUp object allows the insertion of
embedded objects; they run in a high privilege space
allowing the execution of local applications remotely.
(Using the codebase tag, courtesy of Dildog and
Microsoft).

Caveats, Notes: Under initial testing scripting was
not possible in the popup object, nor could I pass
parameters to the executables. Regardless, there may
be more dangerous examples of code being put within
the popup object as it seems to do almost no internal
checking at all.

Exploits: http://www.osioniusx.com

"funRun.html" - This page shows how you can run just
about anything you want on a Windows system remotely
from IE if it is on the user's system. I have included
in it two sections: one section demonstrating running
applications through the popup object; the second
section demonstrating opening up control panels and
the like from the earlier released bug
"directoryInfo.html", ie the "file://::{CLSID}"
feature of IE.


Potential Solution: Fix required on the popup object.

Workaround Suggestions: Disable ActiveScripting, use
Netscape on untrusted sites, browse trusted sites
only, do not allow ActiveScripting to be parsed in
emails or newsposts

Vendor Status: Emailed "Secure () microsoft com" 

Disclosure Policy: I am not opposed to more warning
for advisories and decide on that on a case by case
situation. See Also, FullDisclosure.txt.


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/