Naturally, this only works from a local security zone such as the My Computer zone. You cannot exploit the Shell.Application object from the Internet Zone where you get an explanatory "Permission Denied" error. This eases the process of abusing local security zone privileges but does not change the fact that you could already download and execute files when inside a local security zone. If you want to "exploit" this from the Internet Zone you still need to rely on yet another cross-domain vulnerability as well as a local file loading vulnerability to gain access to the My Computer zone, where you could already use ADODB and codeBase to execute files. One more way to do the same, but definitely a more explanatory and simplistic approach ;) Naturally, locking down the My Computer zone prevents this exploit from working - personally, I would recommend installing Qwik-Fix and forget about command execution vulnerabilities in IE :) Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: http-equiv@excite.com [mailto:1@malware.com] Sent: Thursday, January 01, 2004 2:43 PM To: bugtraq@securityfocus.com Cc: NTBugtraq@listserv.ntbugtraq.com Subject: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV <snip http://www.securityfocus.com/archive/1/348688/2003-12-30/2004-01-05/0> <snip http://tinyurl.com/29bga>
