I've done some Googling on this, but can't find anything definitive looking
that isn't ancient.
The issue is whether the simple act of viewing an HTML page that contains
script or viewing an HTML Email message that contains script is (in and of
itself) enough to infect your machine with a virus.
I know that there were a few rather exotic methods used in the past to
exploit vulnerabilities of IE and/or Outlook/Outlook Express that required
only viewing to be infected, but even those weren't specifically delivered
by script were they? My understanding is that they used specially encoded
graphic objects or similar.
I know that script can do things that are irritating (spawn windows and
such) but I fail to see how they can actually do anything harmful to the
local system. Note that I am not talking about a script attachment that a
user might double-click. Only the script that would run just from viewing
the HTML content.
If it is true that this is possible, would one have to be running fairly
antiquated client software to be in danger?
TIA
5  5068 
In XP, if the user's security settings are set to low, and if the user
is an Administrator ... A HTML (or rather an HTA file HTML-look-
alike) can do about anything the author wants.
gi************* ******@yahoo.co m said:
>
In XP, if the user's security settings are set to low, and if the user
is an Administrator ... A HTML (or rather an HTA file HTML-look-
alike) can do about anything the author wants.
An HTA has to be executed from the local system.
If you can be talked into downloading a file and clicking on it,
then you're vulnerable to all sorts of things, most of which
have nothing to do with computers.
--
David Gillen wrote:
Rick Brandt said:
I've done some Googling on this, but can't find anything definitive
looking that isn't ancient.
The issue is whether the simple act of viewing an HTML page that
contains script or viewing an HTML Email message that contains
script is (in and of itself) enough to infect your machine with a
virus.
Yes it is.
But, most of these kind of security holes are fixed very quickly. If
you keep your software (browser, mail client, etc) up to date you
should be relatively safe. Or use a non windows OS, which while
neither 100% is far far less likely to be subject to the same
invasive techniques used by the low lifes who develop such attacks.
D.
Just to clarify though. Can anything you're describing be done with plain old
Javascript or does it require some sort of exotic exploit?
Rick Brandt wrote:
David Gillen wrote:
>Rick Brandt said:
I've done some Googling on this, but can't find anything definitive
looking that isn't ancient.
The issue is whether the simple act of viewing an HTML page that
contains script or viewing an HTML Email message that contains
script is (in and of itself) enough to infect your machine with a
virus.
Yes it is.
But, most of these kind of security holes are fixed very quickly. If
you keep your software (browser, mail client, etc) up to date you
should be relatively safe. Or use a non windows OS, which while
neither 100% is far far less likely to be subject to the same
invasive techniques used by the low lifes who develop such attacks.
D.
Just to clarify though. Can anything you're describing be done with plain
old Javascript or does it require some sort of exotic exploit?
Hi,
A bit of both often: an exotic exploit using JS.
As with most bugs/securityholes, the problem was not obvious to the
developers: Bufferoverflows and such.
If you want to know about all details, I think Mozilla/FF have public
accessable bugtrackers with comments.
IE/M$ probably fix their stuff silently (if they fix it at all) with minimal
comments about the securityhole.
You can find more info and usefull links at developer.mozil la.org.
Hope that helps.
Regards,
Erwin Moller
It also depends on your interpretation of the term "virus".
In IE, with JavaScript, you can do all kinds of "not so nice stuff"...
fill the user's autocomplete with pr0n entries, submit pages silently,
initiate downloads, etc.
The main trick is, that most is relatively harmless.. unless you click
"Accept" when something pops up... but, JavaScript in IE, does have
access to the file system (if you allow it)... thus if you do manage
to comprimise the security settings in IE, with a crafted page, there
is a chance that you might be able to call the file system functions,
without the security checks in place. Its a big if, but.. it is there
waiting to be exploited, should someone get in that far.
In IE7, things are :"said" to be safer... but from my regular IE7
updates,... i'm not convinced yet... ;-)
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Anonymous |
last post by:
Hi!
I've got an unusual problem here. I'm trying to write a PHP script that
behaves like a web client. Why? I want to automatically check specific
URLs for changes.
I'm using file_get_contents(URL) to read the pages and this seems to
work just fine as long as there are no logins, sessions or cookies.
But I'm getting a new PHPSESSID from the site whenever I get a new page
|
by: Joe Ray |
last post by:
How can I execute a perl script from JSP. Thanx in advance
|
by: Steve Henderson |
last post by:
I have really surprised myself and written a script that actually works!
<grin>. As you will be able to tell, I'm really, really new to this
scripting stuff... My script does a task and then sleeps for 5 seconds, and
does it again (which is what I want). My trouble is that I can't find a way
to stop it without pulling up "task manager" and killing it using brute
force. I think I can use the Popup method with a nsecondstowait value so
that...
|
by: Burton Roberts |
last post by:
I'm using XP Professional on a Dell Inspiron 8100 with 512K Ram.
Since April 1 I have been struggling with problems associated with the
Script Host . I suspect I let in a virus that Norton AntiVirus is not
picking up.
Here's a sample of an error I get when I open my Visual Studio.Net IDE to
the
default Start Screen.
Internet Explorer Script Error
|
by: Tom Szabo |
last post by:
Hi,
I am wondering if it is possible to send/ submit something to a server and
not to update the page.
Considering a large page, when the user clicks on an item, I like to send a
message to the server but not change the page, so the large amount of code
doesn't have to be retransmitted back to the browser but the database would
be updated.
Is this possible at all?
| | |
by: Dan |
last post by:
We have a simple site. It's a frameset with two frames a left and a right.
The left frame is essentially a list of records from a database (using a
server-side repeater control). When you click on one of the items in the
left frame, it targets the right frame and displays a form prefilled with
information for the item you clicked.
The problem is the left frame's list just shows the names of the items, and
the name of the item is...
|
by: Jean Jacques Serpoul |
last post by:
Hello,
I have this small php script
<?
$ip=getenv(REMOTE_ADDR);
$agent=getenv(HTTP_USER_AGENT);
{
$c_date=GetDate(time());
$x_day=$c_date;
$x_month=$c_date;
|
by: ranger7419 |
last post by:
I'm trying to figure out why this script will work in IE 6 but not
Firefox, and so I need someone here with a far better grasp on
javascript to explain this. Basically, I have a page with several
thumbnails. Above these thumbnails I placed a large picture with text
next to it to describe what the picture is about. So, when you click a
thumb, the large pic AND text change dynamically to reflect the
thumbnail -- see...
|
by: stefmpiz |
last post by:
Hello, i am a new member from Greece.
I am administrator of a website and recently i had two similar virus problems.
Suddenly before two weeks i found out that in many of the tables of my database (hosted in SQL server 2005) a great deal of records was filled in the end of many text fields with the string -- script src=http://www.lksr.ru/ngg.js>/script --
and after a week with string &"></title> script...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
