> From: "morning_wood" <[EMAIL PROTECTED]> > running "malware.html" locally does produce the desired results, but then > again...
The exploit is intended and created to be run locally from a local security zone - getting to a local zone in the first place requires other vulnerabilities. > i can get any html to execute locally calling a remote location for the code, as > long as its run from the local machine. There are several steps involved in most of all IE command execution exploits, some of these involve downloading and executing a file once you are already in a local security zone. What http-equiv did was to simplify that part of the process by using the Shell.Application object. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
