Ghosting This page is a description of a ghosting attack and flaw on Internet Explorer 4. Internet Explorer 4 has a flaw that allows an applet to write to its desktop or to other windows. The following is a description(in sequence) of the ghosting attack which is done by a test applet which draws white(colour of a ghost) image on the screen. 1.The victim visits the page. 2.The applet is loaded. 3.The applet fails to work. The applet seems to be stuck at the initialisation process. 4.The victim thinks that he/she has just loaded another badly coded applet. 5.The victim then closes the browser associated with the "bad" applet. 6.The applet starts attacking the active window, the desktop or Start menus usually after victim clicks mouse button. The following are the symptoms on Internet Explorer 4 on a Pentium PC * White pixels will flood the whole desktop. * White pixels will flood the menu bar/Start button * White pixels will try to flood active window but not 100% successful. * Victims may not see their mouse cursor. * Victims cannot see where they are clicking or where to click Here are several screen captures of the symptoms Symptom No 1(Desktop view):Desktop flooded,start menu nearly flooded Symptom No 2(Internet Explorer 4 view):web page area and rebar menu contents flooded, rebar nealy flooded The following is a test results on different installations of Internet Explorer 4 Browser WAD Ghost Appears? Internet Explorer 4.0/Win95 X X Internet Explorer 4.0/Win95 O ? Internet Explorer 4.01/Win95(Upgrade) X X Internet Explorer 4.01/Win95 O O Internet Explorer 4.01/Win95 X X Internet Explorer 4.0/Win/WinNT3.x ? ? Internet Explorer 4.0/Mac ? ? WAD-With Active Desktop Component installed? X-Yes O-No From the above results we can see that this flaw only exists for installations of Internet Explorer 4 together with Active Desktop Component. Otherwise the Internet Explorer is safe from the attack. Recovery: * Those familiar with windows will try to "end task" the explorer by using the famous CTRL+ALT+DEL. * However most victims will restart their computer. * Such victims should log off and relogin for a fast recovery. Cacaio Personal Page: http://www.a-vip.com/cacaio The Death Knights group: http://www.deathsdoor.com/tdk +-------------------------------------------------------+ | BrasNet IRC Servers Network - Brazil | | irc.brasnet.org irc.webtech.com.br | +-------------------------------------------------------+ Tragic Bombs: Hiroshima'45 Chernobyl'86 Windows'95
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:39 PDT