[Dshield] Internet Explorer Advisory / apology

Brian McWilliams bmcw at attbi.com
Sun Mar 3 02:47:18 GMT 2002


Glad to see some attention being given in recent days to that Pop-Up attack.

That URL  ( http://www.liquidwd.freeserve.co.uk/ ) is actually an 
independent demo of one of the exploits published in January by a 
researcher named ThePull:


Fortunately, ThePull and GreyMagic Software, which just put out a perhaps 
more technically accurate assessment of the flaw, have not found a way to 
pass parameters to the pop-up application. So, you can get a command prompt 
but you can't feed it commands, etc.

GreyMagic's advisory is here:


Thor Larholm has noted that this flaw may actually have been discovered 
back in Nov 2000 by Georgi Guninski:


For some reason, Microsoft still hasn't addressed the vulnerability:



At 07:19 PM 3/2/2002, jullrich at sans.org wrote:
>Hash: SHA1
>   Internet Explorer has a number of severe issues, that have not
>been addressed by Microsoft so far. Recently, a user posted the
>URL provided below to show what can be done with these holes.
>   Posting exploit code like this is of course always a difficult
>issue. In my opinion, if an exploit exist, its ownership and use
>by a small group of crackers is often more damaging than making
>the community at large aware of it (and allowing them to take
>the necessary counter measures).
>   Anyway. I regretfully rejected the post, partially because the
>URL for the exploit was not marked as an 'exploit'. So the post
>got rejected... and I never took note who submitted it, so I cant
>really give credit here.
>   The URL below will launch a 'command shell' on Windows XP and 2000. It
>works on my Windows XP Pro test system, which is fully patched according
>to Windows Update.
>   You may not want to launch this URL from a "trusted/secure" system.
>While I do not believe it does anything malicious, it could be changed by
>   Here it goes (inserted a space to prevent people from clicking without
>thinking): http://www.liguidwd. freeserve.co.uk
>   Internet Explorer vulnerabilities are in particular a big problem with
>plenty of exploited MS IIS servers still on the net and exploits for
>php/Apache about to be launched.
>   The particular exploit will require Javascript to run. In my opinion,
>if you have to use MSIE, disable javascript/active scripting to avoid
>running into this issue. The next URL using this code may do more than
>just launch a shell.
>   Also, the effected systems (Win2k, XP) have the ability to setup
>different user accounts with different privileges. Too many users still
>use accounts with 'Administrator' privilege for everyday use /  web
>   Please sound the necessary alarms if you hit a URL that exploits any of
>these issues.
>- --
>- -------
>jullrich at euclidian.com               Join http://www.DShield.org
>                           Distributed Intrusion Detection System
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list