lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jan 27 23:39:13 2006
From: stuartd at gmail.com (Stuart Dunkeld)
Subject: Re: [security] What A Click! [Internet Explorer]

On 27/01/06, yossarian <yossarian@...net.nl> wrote:

> HTA runs applications from HTML documents. Like I mentioned, never broke
> anything in my experience. And yes, I sometimes develop stuff on this old
> windows box, including webstuff. HTA is a MS invention,  Firefox has
> followed. But the main thing HTA has been, and IMHO will remain, is a
> security flaw.
>

FUD. HTAs are scripts which run outside the context of Internet
Explorer's security model because they are hosted by mshta.exe.
Firefox has nothing to do with it.

Anyway, the fact that the payload of this PoC is an HTA is irrelevant:
the user is fooled into clicking the Run dialog by the Agent overlay,
and the payload could as eaily be any Windows executable. The
advantage of an HTA in this situation, of course, is that the paranoid
can inspect it to see exactly what it does: not so easily when a PoC
drops booom.exe into your c: drive and executes it.

You might be interested to know that Window's Add/Remove programs
dialog is itself an HTA - paste res://appwiz.cpl/default.hta into
IE6's address bar to see for yourself.

>  Never had an active scripting host, and that had
> also never had an adverse effect.

Scripting can be quite useful, in Windows just as any other OS.

> 'Everything web' includes worms, spyware and the like. Dunno, I prefer my
> web a bit cleaner. Sandboxing is possible, just like anything web, by
> running the browser in a citrix or terminal server box. They, being windows,
> based might be compromised as well, so maybe a better idea is to run a java
> based browser in a JVM and have it over with, use something like JREX or
> Opera.  If corporate, you might prefer server side java.. Run the JVM on a
> tomcat or websphere on nix or even use the old big iron, open a sandboxed
> browser in a normal browser.....  et voila, a sandboxed browser. Some say
> Tarantella might do the trick neatly, have not looked into that yet.
>

Why not just unplug your computer?

Regards

stuartd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ