It works for me on default settings of IE 6.0/5.5/Win2K. Note: AFAIK microsoft neither confirm nor deny it is bug, the last I heard from them was they were investigating my report. Georgi Guninski, http://www.guninski.com Michael Fellows wrote: > > I tested this with the following systems: > > Win2K, IE 6.0.2600.0000CO w/Q313675 > Win95, IE 5.50.4807.2300CO w/SP2 > > IE gives an "Error: Automation server can't create object" error unless > "Initialize and script ActiveX controls not marked as safe" is set to > "Enable" in the "Local intranet" Zone. At which point the vulnerability > as listed works. > > User intervention is required to enable this setting because default > settings and settings provided via the "Reset custom settings" default to > either "Disable" or "Prompt". > > Were you able to get past this setting? If not, then I don't see this as > being too large of a threat. > > Thank you, > > Michael > > -- > Michael Fellows > Utah Department of Transportation > email: mfellows@dot.state.ut.us > pgp key: 0x6D8C2EF7 >
