[Dshield] Internet Explorer Advisory / apology
jullrich at sans.org
Sun Mar 3 00:19:24 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Internet Explorer has a number of severe issues, that have not
been addressed by Microsoft so far. Recently, a user posted the
URL provided below to show what can be done with these holes.
Posting exploit code like this is of course always a difficult
issue. In my opinion, if an exploit exist, its ownership and use
by a small group of crackers is often more damaging than making
the community at large aware of it (and allowing them to take
the necessary counter measures).
Anyway. I regretfully rejected the post, partially because the
URL for the exploit was not marked as an 'exploit'. So the post
got rejected... and I never took note who submitted it, so I cant
really give credit here.
The URL below will launch a 'command shell' on Windows XP and 2000. It
works on my Windows XP Pro test system, which is fully patched according
to Windows Update.
You may not want to launch this URL from a "trusted/secure" system.
While I do not believe it does anything malicious, it could be changed by
Here it goes (inserted a space to prevent people from clicking without
thinking): http://www.liguidwd. freeserve.co.uk
Internet Explorer vulnerabilities are in particular a big problem with
plenty of exploited MS IIS servers still on the net and exploits for
php/Apache about to be launched.
running into this issue. The next URL using this code may do more than
just launch a shell.
Also, the effected systems (Win2k, XP) have the ability to setup
different user accounts with different privileges. Too many users still
use accounts with 'Administrator' privilege for everyday use / web
Please sound the necessary alarms if you hit a URL that exploits any of
jullrich at euclidian.com Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list