--- Eric <ews@tellurian.net> wrote: > Theregister was running the script locally - in the > myComputer zone. If > you host the malicious html on a webpage, etc. then > the patch does indeed > prevent the execution of code. > The object tag has always been able to run from My Computer in this manner. I use it for testing zone problems, which is how it was originally discovered. This was the original assessment of the bug and the reason why the potential was there for something nastier. from Microsoft ( http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-015.asp ) "In certain instances, IE incorrectly reckons these objects as being part of the Local Computer zone, even though the page itself is in a different zone, such as the Internet zone. Because the Local Computer zone is less restrictive than other zones, this can allow the web page to run executables on the local system without prompting." from my addendum advisory ( http://groups.google.com/groups?q=pop-up+group:bugtraq&hl=en&selm=bugtraq/20020116183201.24698.qmail%40web12507.mail.yahoo.com&rnum=1 ) :-> "The object is being executed in My Computer security zone, ie, the codebase problem is a Microsoft "feature", it just should only work in My Computer Zone -- not remotely. " Then I went on to explain why that is bad and potentially exploitable. <snip> __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
