Confirmed on IE 5.0 too :( Sorry One Liner, Dike > -----Original Message----- > From: http-equiv@excite.com [mailto:http-equiv@malware.com] > Sent: Wednesday, February 26, 2003 4:45 AM > To: bugtraq@securityfocus.com > Subject: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II > Tuesday, February 25, 2003 > > We are delighted to learn that the original self-executing html file, > from June 1 2002 is now fixed with the most current of the many > patches for the Internet Explorer series of browsers. See: > > http://online.securityfocus.com/archive/1/275126 > > Regrettably. > > The following file is an html file comprising both scripting and an > executable [*.exe]. > > We inject scripting and an executable into the html file which is > designed to point back to the executable in the html file and execute > it. Provided the html file is an html file, Internet Explorer 5.5 and > 6.0 will execute it. > > Because it is an html file proper, Internet Explorer opens it. The > scripting inside is then parsed and fired. That scripting is pointing > back to the same executable file with our original codebase object > from the year 2000 and because it is a self-executing html file, it > executes ! > > Tested IE5.5 and IE6. Fully self-contained harmless *.exe: > > http://www.malware.com/html.exe.zip > > Be aware of html files out there. > > Key Words: Trust it's Worthy so Think it's Tank silly obvious > > -- > http://www.malware.com
