The new addition here is abusing how you are able to load a ressource file, residing in a local security zone, into a window object. Service Pack 1 for IE6 did a lot to deter this on most regular window objects, but should have extended that effort to searchpanes as well. Seeing as the content of a search pane can be any registered COM extension to IE, perhaps more should be done to completely separate these from the reach of ordinary scripting. Combining the mediabar ressource loading with the file-protocol proxy demonstrates just how effectively one can combine several vulnerabilities to achieve a higher level of automation in planting and executing files. The media bar ressource loading, and any other ressource loading technique, can be combined with any other cross-domain scripting vulnerability to achieve the same result. We will definitely see more combinatorial vulnerabilities in the time to come. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities ----- Original Message ----- From: "jelmer" <jkuperus@planet.nl> To: <bugtraq@securityfocus.com> Cc: <full-disclosure@lists.netsys.com> Sent: Thursday, September 11, 2003 3:31 PM Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code > Internet explorer 6 on windows XP allows exection of arbitrary code > > DESCRIPTION : > > Yesterday Liu Die Yu released a number series of advisories concerning > internet explorer > by combining on of these issues with an earlier issue I myself reported a > while back > You can construct a specially crafted webpage that can take any action on a > users system > including but not limited to, installing trojans, keyloggers, wiping the > users harddrive etc. <snip http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html>
