Yet another IE4 exploit

Lloyd Wood (L.Wood@surrey.ac.uk)
Mon, 27 Apr 1998 01:31:18 +0100 (BST)


Yawn.

This isn't news. No-one has covered this. No-one cares.

http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4embed/

It's another exploitable hole in IE4 and Outlook Express that will
crash Windows 95 and NT systems. They've now issued a patch for it.

It's no big deal - only millions of exploitable machines still out
there. There's nothing here that we didn't already know or suspect.
Which is presumably why I stumbled on this late, and couldn't find any
coverage of this in the usual tech-happy sources.

Ho, hum. And Microsoft says:

'A malicious Web page could cause Internet Explorer 4.0 to crash
through an exploit with the "EMBED" tag. It's difficult, but possible,
for the page to then run code in memory on that machine.
[..]
There have been no reports of any customer being affected by this bug.'

...just as there were no reports of any customers being affected by
the mk bug, the res overflow, the OBJECT tag bug, the...

Anyway, there'll be another bug to exploit along shortly. This isn't
news. This has, unfortunately, come to be accepted reality.

(Is there anyone out there still choosing to run Internet Explorer?
Can anyone in a position to know tell me if Microsoft's tape backup
software is Y2K-compliant or not? Does anyone else think:

http://geek-girl.com/bugtraq/1998_2/0157.html

might be rather scarier?)

thanks,

L.

Move along, move along. There's nothing here you're supposed to see.

<L.Wood@surrey.ac.uk>PGP<http://www.sat-net.com/L.Wood/>+44-1483-300800x3641