| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <021101c3d1a7$d99dffe0$6601a8c0@0xff> From: thor at pivx.com (Thor Larholm) Subject: Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV > From: "morning_wood" <se_cur_ity@...mail.com> > running "malware.html" locally does produce the desired results, but then > again... The exploit is intended and created to be run locally from a local security zone - getting to a local zone in the first place requires other vulnerabilities. > i can get any html to execute locally calling a remote location for the code, as > long as its run from the local machine. There are several steps involved in most of all IE command execution exploits, some of these involve downloading and executing a file once you are already in a local security zone. What http-equiv did was to simplify that part of the process by using the Shell.Application object. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@...x.com 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>
Powered by blists - more mailing lists