[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] What about M$ in the shell: race

To: "'Perrymon, Josh L.'" <PerrymonJ@xxxxxxx>
Subject: RE: [Full-Disclosure] What about M$ in the shell: race
From: "Larry Seltzer" <larry@xxxxxxxxxxxxxxxx>
Date: Sat, 10 Jul 2004 11:47:37 -0400

>>However, the shell: command opens the programs when used locally in the URL 
>>bar.  

If by this you are referring to the preposterous scenario in which someone 
literally
types 'shell:windows\\system32\\calc.exe' or something like it into the Address 
bar, I
just tested it and you're incorrect. I get an Invalid Syntax error. Try again.

>>I think it would have to be used with another IE vuln to really create a
problem-However, the shell: command opens the programs when used locally in the 
URL bar.
I think it would have to be used with another IE vuln to really create a 
problem- 

So because there are vulnerabilities in IE, anything and everything is 
exploitable? I
think you'll have to do better than this. Every bit of real testing I've seen 
shows this
is not a real vulnerability in IE.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
larryseltzer@xxxxxxxxxxxxx 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] What about M$ in the shell: race
  - From: Perrymon, Josh L.

Prev by Date: [Full-Disclosure] Security contact at Lexmark? Anyone?
Next by Date: RE: [Full-Disclosure] What about M$ in the shell: race
Previous by thread: RE: [Full-Disclosure] What about M$ in the shell: race
Next by thread: Re: [Full-Disclosure] Multiple Antivirus Scanners DoS attack. [summery]
Index(es):
- Date
- Thread