IE & Outlook Run Windows Commands without Scripting

By kintamanate
in Back Page News

 Share

Recommended Posts

Mentor

kintamanate

Posted
Posted

"An attacker can run arbitrary commands on Windows machines with a simple bit of HTML, an Israeli security researcher has demonstrated. The exploit will work with IE, Outlook and OutlooK Express even if active scripting and ActiveX are disabled in the browser security settings.

MS has yet to patch the hole

The problem here is data binding, an old 'feature' going back to IE4 in which a data source object (DSO) is bound to HTML. "

The Register

GreyMagic Security Advisory GM#001-IE

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.