RE: Javascript in IE may spoof the whole screen

From: Thor Larholm (Thorat_private)
Date: Wed Oct 24 2001 - 03:10:06 PDT

Next message: zen-parse: "Advisory: Corrupt RPM Query Vulnerability"

Previous message: Thomas Biege: "SuSE Security Announcement: htdig (SuSE-SA:2001:035)"
Maybe in reply to: Georgi Guninski: "Javascript in IE may spoof the whole screen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Julian Hall
> > Georgi Guninski security advisory #50, 2001
> > Image moving over download/open dialog:
> > http://www.guninski.com/opf2.html
> > BSOD emulation:
> > http://www.guninski.com/bsod1.html
> 
> Neither of these demonstrations function correctly in IE 5.0; 
> they produce script
> error message boxes, reporting that the 'object does not 
> support the requested
> method'.  I don't know whether that means IE 5.0 isn't 
> vulnerable or not...

It means that Guninski used the popup object in his examples, which was
first introduced in IE5.5+ - using chromeless window objects will yield the
same results in IE4+.

The advisory still holds, the example was just flawed.

Regards
Thor Larholm
Jubii A/S - Internet Programmer

Next message: zen-parse: "Advisory: Corrupt RPM Query Vulnerability"
Previous message: Thomas Biege: "SuSE Security Announcement: htdig (SuSE-SA:2001:035)"
Maybe in reply to: Georgi Guninski: "Javascript in IE may spoof the whole screen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 08:19:24 PDT