IE, Outlook run malicious commands without scripting

An attacker can run arbitrary commands on Windows machines with a simple bit of HTML, an Israeli security researcher has demonstrated The exploit will work with IE, Outlook and OutlooK Express even if active scripting and ActiveX are disabled in the browser security settings.

The problem here is data binding an old 'feature' going back to IE4 in which a data source object (DSO) is bound to HTML.

News source: The Reg

View: The full story

Report a problem with article
Next Article

Adobe AlterCast

Previous Article

VIA USB Filter Patch v1.10

-1 Comments - Add comment

Advertisement