Kazaa's IE control (at least in 1.7.x) seems to treat certain URLs differently, too, which could pose a problem. For example, http://localhost/KazaaSearchQuery performs a search (a form for this is displayed on desktop.kazaa.com). Putting more than 272 bytes into the query argument causes a crash; I haven't checked if it's posisble to run malicious code with this. apl ----- Original Message ----- From: "David Krum" <frobnitz@msn.com> To: <bugtraq@securityfocus.com> Sent: Friday, October 18, 2002 11:33 AM Subject: KaZaA > I'm concerned about all the applications which utilize ie browser controls. > There are a lot of adware programs with little ads. Some of these ads have > activex, java, flash, js. Any one of these capabilities in the wrong zone > could be dangerous. > > My attention was first drawn to this when I noticed KaZaA launching popups > sourced from the local hard disk. Surely these ads are running in the local > zone. To use software that does this I have to trust them to audit the ads > given to them? > > _________________________________________________________________ > Broadband? Dial-up? Get reliable MSN Internet Access. > http://resourcecenter.msn.com/access/plans/default.asp > >
