[vox] More IE exploits
Samuel N. Merritt
spam at andcheese.org
Fri Jun 25 15:52:49 PDT 2004
On Fri, Jun 25, 2004 at 03:46:12PM -0700, Bill Kendrick wrote:
> On Fri, Jun 25, 2004 at 03:36:21PM -0700, Rod Roark wrote:
> > Actually... looking at both stories and taking them at face
> > value, it appears these are two entirely different security
> > holes.
>
> Yeah, upon further inspection, I was a little confused, too.
> Of course, the BBC said people are inserting Javascript
> 'into GIF and JPG files', which makes no sense whatsoever...
>
> Unless IE is being particularly dumb with something like:
>
> <img src="http://badguy.com/malware.js">
I don't know what the problem is with this particular hole, but IE
historically has lots of problems with guessing a file's type based
on extension and mixing that up with the MIME type.
For example, IE had a security hole some time ago involving
background sounds; if you specified bgsound="evil.js" in a web page
and the server said its MIME type was a MIDI file, IE would decide
to play the file and hand it off to a local player thread.
Well, that thread would look at the extension and execute evil.js as
JavaScript in the local security zone.
I undoubtedly have some of the details wrong, but the general idea
is there.
--
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://ns1.livepenguin.com/pipermail/vox/attachments/20040625/7deebd0f/attachment.bin
More information about the vox
mailing list