Bugtraq mailing list archives
RE: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) + Workaround.
From: "GreyMagic Software" <security () greymagic com>
Date: Sun, 3 Mar 2002 03:02:18 +0200
As the advisory mentions, this exploit only works for IE5.5+, and I quote: "Any application that hosts the WebBrowser control (5.5+) is affected since..." Many people seem to have missed that and emailed us about the fact that "it doesn't work here!" while using IE5, so to make it perfectly clear; The bug only exists in IE5.5 and later versions, even if you set your Internet Zone to disable the download of ActiveX. Regardless of all this, we were notified of a possible workaround and thought that this is important to share; Since the injected <object> runs in the "My Computer" Zone changing the Internet Zone's settings didn't affect it, but changing the correct zone's settings will prevent this exploit from running.. Here is the registry information: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] Change "1004" (DWORD) to 0x3. Many thanks to Axel Pettinger and Garland Hopkins for this workaround. Regards, L. Dagon, GreyMagic Software, Israel. -----Original Message----- From: Stefan Osterlitz [mailto:stefan () osterlitz de] Sent: Friday, March 01, 2002 13:02 To: GreyMagic Software Cc: BUGTRAQ@SECURITYFOCUS. COM Subject: Re: IE execution of arbitrary commands without Active Scripting orActiveX (GM#001-IE)
Solution: =========
There is no configuration-tweaking workaround for this bug, it will work
as
long as the browser parses HTML. The only possible solution must come in
the
form of a patch from Microsoft.
IMHO this is wrong. you can disable the download of signed / unsigned activex controls. my ie version 5.00.2614.3500 w/patches is not vulnerable with that setting.
Tested on: ==========
IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled. IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled. IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled. IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.
Current thread:
- IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) GreyMagic Software (Mar 01)
- Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) the Pull (Mar 01)
- Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) Stefan Osterlitz (Mar 01)
- Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) Peter Wu (Mar 03)
- RE: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) + Workaround. GreyMagic Software (Mar 03)
- RE: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) Thomas Thornbury (Mar 04)
- RE: IE execution of arbitrary commands without Active Scripting Nick FitzGerald (Mar 05)