> TXT or HTML? -- IE NEW BUG > vulnerable programs: > IE4 ,IE5 ,IE5,IE6 ,Microsoft Word ,Microsoft > Excel,Microsoft PowerPoint, > Tencent explorer (I've tested all the versions of IE that i can find, they are all vulnerable) > description: > IE doesn't recognize the extensions of files, which may contain some html code. I'm afraid this is somewhat incorrect. Windows shell programs do recognize the file extensions. The problem is that when a user opens a file with a html aware application, the html parser always tries to read tags in the file. This happens in html reading/writing programs (notice that all the programs you pointed out as being vulnerable do this), and not on others. It is my belief that microsoft is aware of this. After all, they know they have html parsers on their programs, because thats one of the functions of those (go imagine IE not parsing html targets on files it reads stand-alone. it wouldn't be a browser at all). Thus, this is no bug at all. Probably the code parsing shouldn't be done in files other than .html, .htm, but if it is not to be considered as a bug. > 1) download some antivirus softwares. and update the virus datebase all the > time. and change the name of some 'dangerous' programs in your system, such > as format.exe deltree.exe etc. i.e change format.exe to format_0.com etc. > 2) try, not to visit those so-called 'hacker'or'cracking'sites. most of the > time, you are the victim while you want to learn to attack others. > 3) if you have to go visit some site that you are not quite sure if they are > safe. then check it here first: http://crazybird.51.net/look.htm > or you can also save the source code of this page to your computer, then > save it as *.htm, so you can execute it on your own comp. be aware if it > says "the web page contains some unsafe ActiveX" or something like that, > then you'd better not to execute that ActiveX widget. and i can't promise > that it can give you this kind of warn for any aggressive files.. > 4) DO NOT open your attachment in IE!!!!!don't ever open any type of file in > IE directly!!!BE AWARE!! you'd better use antivirus to scan it before you > open it after you've download it to ur computer. > 5) Update the system patch immediately if the patch comes out. I consider these not sollutions to what you point out as a problem, but general tips to avoid security problems. Antiviral software wont prevent html parsers from doing their job. Also, changing name of system utilities wont do anything at all. About your 4th solution. I don't believe antiviral software detects any kind of html or activex as being potentially harmful. And finally, i don't believe any patch will come out to prevent html parsing. Fred Oliveira Box Network (www.boxnetwork.net)
This archive was generated by hypermail 2b30 : Sat Jul 28 2001 - 20:01:33 PDT