Internet Explorer Pop-Up OBJECT Tag Bug Class: Failure to Handle Exceptional Conditions Remote: Yes Local: Yes Found: January 10, 2001 Severity: Moderate Vulnerable: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461; Q240308;Q313675 Discussion: The PopUp object allows the insertion of embedded objects; they run in a high privilege space allowing the execution of local applications remotely. (Using the codebase tag, courtesy of Dildog and Microsoft). Caveats, Notes: Under initial testing scripting was not possible in the popup object, nor could I pass parameters to the executables. Regardless, there may be more dangerous examples of code being put within the popup object as it seems to do almost no internal checking at all. Exploits: http://www.osioniusx.com "funRun.html" - This page shows how you can run just about anything you want on a Windows system remotely from IE if it is on the user's system. I have included in it two sections: one section demonstrating running applications through the popup object; the second section demonstrating opening up control panels and the like from the earlier released bug "directoryInfo.html", ie the "file://::{CLSID}" feature of IE. Potential Solution: Fix required on the popup object. Workaround Suggestions: Disable ActiveScripting, use Netscape on untrusted sites, browse trusted sites only, do not allow ActiveScripting to be parsed in emails or newsposts Vendor Status: Emailed "Secure@microsoft.com" Disclosure Policy: I am not opposed to more warning for advisories and decide on that on a case by case situation. See Also, FullDisclosure.txt. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
