Re: Ah, oo, uh, ie.

[H D Moore <hdm-daily-dave () digitaloffense net>]

The IObjectSafety problem, as it relates to instantiable non-ActiveX COM 
objects, is still a major issue in IE. This allows you to crash IE with a 
single object creation call, such as:

<script>
a = new ActiveXObject("OutlookExpress.AddressBook");
</script>

Real complicated eh? This was reported to MSRC, along with another dozen 
IE DoS bugs, about a month ago. The biggest problem with fixing COM 
object bugs seems to be figuring out who the actual author is. What sucks 
is finding a trivially exploitable COM object on your system and having 
no idea what application is responsible for installing it...

More browser rambling can be found on the Metasploit blog:
http://metasploit.blogspot.com/2006/03/browser-fuzzing-for-fun-and-profit.html

-HD

On Thursday 30 March 2006 16:40, Dave Aitel wrote:
> I wonder if Mike's been talking to one of the DCOM designers. This
> sounds like something they'd think up.
>
> DCOM Designer: "Yo, so the server can call RpcImpersonateClient(), but
> not if the client has called SetCloaking("Definitely Not"). but if the
> registry has the "Cloaking: Not such a good thing" dword set to 1 then
> it still can. Clear?"
> ProgrammersProgrammersProgrammers: "Sure!"
>
> Haha. That API cracks me up every time.