Yet Another Huge IE Security Bug
Thursday August 26th, 1999
IE's hit with another security bug, this one called worse than Melissa by the team that discovered it. The bug comes from security flaws in IE's Java Virtual Machine. If you open an email message with malicious Java code using Outlook, Outlook Express, or Eudora (which uses IE's MS's HTML rendering code), you're infected. The bug only affects Windows 98 users and some Windows 95 users. To read more on this new vulnerability, check out the article at Wired News.
As an interesting side note, Edward Felten, known best for his testimony in the Microsoft Antitrust trial, is on the team that discovered the bug.
#8 It's because of ActiveX's horrid security model.
Tuesday August 31st, 1999 10:07 AM
You are replying to this message
Why is this such a big surprise to everyone?
It is a well known fact that any object which exists on the client can be created with a snippet of 'set myobj = creatobject("msword.document")' in vb script. Then, to manipulate something like msword to create a plain-text document requires no though at all. I'm surprised this dumbass just found what he's calling a bug. This is a very obvious use of these tools.
The main complaint that he should have is that vb script has a horrible security model. It requires that the user know when a page is safe to allow the ActiveX controls on it to be run. This is utterly rediculous.
At any rate, I'm glad I found this because I was looking for an object that would let me execute a shell command from vbs. (didn't particularly want to write it myself)