Loading ...
Sorry, an error occurred while loading the content.
 

Re: [hackers-il] MSIE crash

Expand Messages
  • Tzafrir Cohen
    ... One thing that is probably very legitimate of you to do is to use some known weaknesses of MSIE that allow execusion of arbitrary (?) code: * write a small
    Message 1 of 4 , Nov 3, 2001
      On Fri, 2 Nov 2001, Alon Altman wrote:

      > Hi,
      > I would like to make my site visitable to any browser but MSIE. To do that
      > I need to add an MSIE-only feature that will either crash the browser(best),
      > display a blank page (not that good), or annoy the user via lots of popups,
      > annoying sound, etc...

      One thing that is probably very legitimate of you to do is to use some
      known weaknesses of MSIE that allow execusion of arbitrary (?) code:

      * write a small activex componnent that issues a scary "now formatting
      your hard-disk" message
      * Use the hole that is used by the worm nimda. It was patched by MS, by I
      figure that most users never botherd updating

      > Is there any way to do this *without* depending on the user-agent field.
      > Many browsers spoof their user-agent, so I don't want to block them by
      > mistake.

      DHTML is said to be one aera where MSIE is setting its own standards. It
      is also one place where 100% CPU utilization is not a hard target.

      I saw one such annoying example recently, but I don't remember where.

      --
      Tzafrir Cohen
      mailto:tzafrir@...
      http://www.technion.ac.il/~tzafrir
    • mulix
      ... i am curious, alon, why? feel free to respond in private if you d like. ... how is this legitimate tzafrir? it s technically feasible, but does that make
      Message 2 of 4 , Nov 3, 2001
        On Sat, 3 Nov 2001, Tzafrir Cohen wrote:

        > On Fri, 2 Nov 2001, Alon Altman wrote:
        >
        > > Hi,
        > > I would like to make my site visitable to any browser but MSIE. To do that
        > > I need to add an MSIE-only feature that will either crash the browser(best),
        > > display a blank page (not that good), or annoy the user via lots of popups,
        > > annoying sound, etc...

        i am curious, alon, why?
        feel free to respond in private if you'd like.

        > One thing that is probably very legitimate of you to do is to use some
        > known weaknesses of MSIE that allow execusion of arbitrary (?) code:

        how is this legitimate tzafrir? it's technically feasible, but does that
        make it legitimate?

        > * write a small activex componnent that issues a scary "now formatting
        > your hard-disk" message
        > * Use the hole that is used by the worm nimda. It was patched by MS, by I
        > figure that most users never botherd updating
        >
        > > Is there any way to do this *without* depending on the user-agent field.
        > > Many browsers spoof their user-agent, so I don't want to block them by
        > > mistake.

        it can be argued that anyone who *wants* to be treated as MSIE *should*
        be treated as MSIE. unless MSIE users can also spoof their user-agent
        field, which i doubt.
        --
        mulix

        http://www.pointer.co.il/~mulix/
        http://syscalltrack.sf.net/
      • Tzafrir Cohen
        ... Note that for many people this means unaccessible . ... It is legitimate IMHO if the code itself is harmless and gives a scary warning. I consider this a
        Message 3 of 4 , Nov 3, 2001
          On Sat, 3 Nov 2001, mulix wrote:

          > On Sat, 3 Nov 2001, Tzafrir Cohen wrote:
          >
          > > On Fri, 2 Nov 2001, Alon Altman wrote:
          > >
          > > > Hi,
          > > > I would like to make my site visitable to any browser but MSIE.

          Note that for many people this means "unaccessible".

          > > One thing that is probably very legitimate of you to do is to use some
          > > known weaknesses of MSIE that allow execusion of arbitrary (?) code:
          >
          > how is this legitimate tzafrir? it's technically feasible, but does that
          > make it legitimate?

          It is legitimate IMHO if the code itself is harmless and gives a scary
          warning.

          I consider this a service to the user.

          --
          Tzafrir Cohen
          mailto:tzafrir@...
          http://www.technion.ac.il/~tzafrir
        Your message has been successfully submitted and would be delivered to recipients shortly.