Another Serious MSIE Hole

pjrc writes "Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

The Demo

[trp642]

A little demo for those still using IE...

Re:Here it comes...

[Incongruity]

Let's bash the shit out of MS. In fact, you can do that while installing the 35th sendmail patch this week. Or the 54th SSH. Or the... (etc etc) Whatever makes you feel less like an angry hate monger :)

The difference is that they actually patch sendmail and SSH for the security problems found...in the MSIE case, a number of problems have yet to be patched (so here comes the other usual response...did you actually read the article??)

Exploit

This appears to use the MS CLSID as the target. To find the CLSID for any file type, simply look in the windows registry in HKEY_CLASSES_ROOT. If you attach the CLSID to the end of the filename, windows will hide this from you completely. Thus, if you request a file iloveyou.vbs.txt.{5e941d80-bf96-11cd-b579-08002b30 bfeb} - it will show up as a text file. Other holes would allow the web site to hide the .exe, vbs, etc part of the file name. In the past, the workaround for this was the big IE warning that you were downloading a harmful file... however this is now undermined.

Re:wtf is an HTML executable?

[Hentai]

.HTA file. Another WONDERFUL idea by Microsoft, where IE's HTML parser is given permission to execute pretty much anything it wants, and then you use HTML and Javascript to write the equivalent of GUI batch files.

Cool idea in the right hands, but here it's a disaster waiting to happen.