I just received this via Bugtraq. It's demonstrating a vulnerability in IE, a self-executing html file. Download the zip file and run the HTML file in IE. Don't worry, I checked it for hidden "surprizes."

Here's a copy of the Bugtraq message:

Tuesday, February 25, 2003

We are delighted to learn that the original self-executing html file,
from June 1 2002 is now fixed with the most current of the many
patches for the Internet Explorer series of browsers. See:

http://online.securityfocus.com/archive/1/275126

Regrettably.

The following file is an html file comprising both scripting and an
executable [*.exe].

We inject scripting and an executable into the html file which is
designed to point back to the executable in the html file and execute
it. Provided the html file is an html file, Internet Explorer 5.5 and
6.0 will execute it.

Because it is an html file proper, Internet Explorer opens it. The
scripting inside is then parsed and fired. That scripting is pointing
back to the same executable file with our original codebase object
from the year 2000 and because it is a self-executing html file, it
executes !

Tested IE5.5 and IE6. Fully self-contained harmless *.exe:

http://www.malware.com/html.exe.zip

Be aware of html files out there.

Key Words: Trust it's Worthy so Think it's Tank silly obvious

It's really quite interesting, when you see what can be done :confused2

o_O

This is going to get quite interesting...

Why do you think I use Mozilla 99.9% of the time? :biggrin2:

Turning activex off doesn't do crap.

All it's doing for me in Mozilla 1.3b is sitting there spinning it's little logo with the words "malware.com" in red letters...just like it shows in the source. A search for 'malware.exe', several times referenced in the source, turns up nothing. I think it _does_ 'do crap' :p

I'm switching to mozilla, turning everything off still doesn't stop it. They said on that site that it won't


This is a BIG problem and there is no way to stop it if you use IE

Woo, a convert :devious2:
I don't see how IE can have such a large and largely blind following with stuff like this out there...

Hah, only works if you open the .zip

download the zip and extract it to your hard drive, then upload it to your website...

If you have activex disabled, doesn't do crap.


You have to download the file and open it, which is no big whoop..

You don't have to extract it for it to work. It works if you just open the file within the .zip.

*hits self on the forehead* Oh ---- I'm stupid. I forgot, hit enter to get out of the program.

Hah, only works if you open the .zip
download the zip and extract it to your hard drive, then upload it to your website...
If you have activex disabled, doesn't do crap.
You have to download the file and open it, which is no big whoop..

Was that directed towards me? I did download and unzip the file, then I opened it in Mozilla 1.3b. All it did was sit there spinning it's logo with the malware.com text. Here's what it looks like in Mozilla --> http://not-named.net/malware.png (47KB)

Originally posted by Ben
*hits self on the forehead* Oh ---- I'm stupid. I forgot, hit enter to get out of the program.

Really? I just pressed spacebar and that worked. :D

I downloaded the wrong file :o

It opens IE and just has the site's name in red on black... some exploit :confused2

No, it can't be run from the web, you have to download it.


I extracted it and uploaded it to my site. It said activex is trying to run and it won't be displayed. It only bypasses activex if you download it.


I'm not so worried now

it doesn't "run" anything for me locally either. Maybe your permissions are set too loosely?

Originally posted by notnamed
Was that directed towards me? I did download and unzip the file, then I opened it in Mozilla 1.3b. All it did was sit there spinning it's logo with the malware.com text. Here's what it looks like in Mozilla --> http://not-named.net/malware.png (47KB)
Well, it's an exploit in Internet Explorer :eek:

And is0lized: That's because most of us here are computer literate. Think of some dude(ette) who just bought their first computer and sees something called ActiveX in IE. Do you really think they are going to know what it is/does? :eek:

Originally posted by Ben
Well, it's an exploit in Internet Explorer :eek:

And is0lized: That's because most of us here are computer literate. Think of some dude(ette) who just bought their first computer and sees something called ActiveX in IE. Do you really think they are going to know what it is/does? :eek: I'd hope anyone - computer literate or not - would have the common sense to not just download some file and then run it on his/her computer because some site tells them to.
It takes advantage of the fact that IE uses different security zones for the internet and for local.
Those 'exploits' are just made up for the sake of releasing exploits.
I think I'll send out a mass email saying Windows is insecure because if you open up a command prompt and type: "format c:" you loose all your data!

So it works locally. What if someone attaches it to an email, and the target uses KMail, Outlook Express, Mozilla Mail, or some other local mail client? :eek:

Then you are screwed. Just glad it only works localy

Originally posted by is0lized
Then you are screwed. Just glad it only works localy
That was a rhetorical question ;)

Just don't open any attachments ;)

Originally posted by Ben
So it works locally. What if someone attaches it to an email, and the target uses KMail, Outlook Express, Mozilla Mail, or some other local mail client? :eek: Outlook Express works either in the Internet security context or the Restricted one. Neither would allow the exploit to work unless you changed them to allow unsafe controls to run without warning.

Originally posted by CareBear
Outlook Express works either in the Internet security context or the Restricted one. Neither would allow the exploit to work unless you changed them to allow unsafe controls to run without warning.
I mean if they run it separately.

*sigh* Oh nevermind.