Additionally, you cannot pass a parameter to the executable launched. ----- Original Message ----- From: "Stefan Osterlitz" <stefanat_private> To: "GreyMagic Software" <securityat_private> Cc: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQat_private> Sent: Friday, March 01, 2002 7:01 PM Subject: Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE) > > Solution: > > ========= > > > There is no configuration-tweaking workaround for this bug, it will work > as > > long as the browser parses HTML. The only possible solution must come in > the > > form of a patch from Microsoft. > > IMHO this is wrong. you can disable the download of signed / unsigned > activex controls. > my ie version 5.00.2614.3500 w/patches is not vulnerable with that setting. > > > > > Tested on: > > ========== > > > IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled. > > IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled. > > IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled. > > IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled. > > > >
This archive was generated by hypermail 2b30 : Sun Mar 03 2002 - 12:59:45 PST