Whats the worst thing HTML can do?

[STeRoiD]

From time to time I look at new exploits and sometimes I see exploit that cause HTML to run on "My Computer" zone, but As far as i know, the "worst" thing you can do with HTML is activate an EXE file.

So I say to myself, Oh no, im doomed, someone can activate my calculator!

Thats why I was wondering, what is the worst thing HTML that runs on "My Computer" zone can do? Why do i need to defend against those?

[Syini666]

Well running an exe is pretty bad actually. For instance, one could run a telnet server (like the one that comes with windows 2000 pro) and exploit that. Someone could also open multiple exes so fast that it crashes the system (a couple hundred copies of calculator running would probably not be a good thing unless you have mountains of RAM to spare) I've seen a few HTML type of exploits happen, and they arent too cool, esp that one a while back that could read your MSN Messenger contact list.

[Tedob1]

html isnt really the danger. it's the scripts that can run from it. these can download and run exe's like trojans and virus files. if you want to see an example, the next time you find nimda or code red code in your server logs, go browse the site that sent it. you'll become infected even if you have the patchs installed on your server by the java script that it appends to the infected sites home page.

opening calc is just to show, harmlessly, that scripts can run exes without your permission. it could, just as easly run a copy of netcat or the tini backdoor it's just downloaded

[STeRoiD]

these can download and run exe's like trojans and virus files

I checked it, and by default, the setting for download permission for signed ActiveX controls is "Prompt", and the setting for download unsigned ActiveX controls in the "My Computer" zone is "Disable".

so even if an html runs in "My computer" zone, it cannot download and run EXE's or ActiveX's, it can only run EXE's that are already on that computer. yeah, that can be bad, I agree that in some cases, some EXE's can do a bit harm, or 30294 Calculators can be annoying, but its still not that critical, right?

[Unl3Ashed]

IMHO most of these attacks could be solved by NOT using Internet explorer and disabling java.
here is a list of some attacks ( Unpatched IE security holes ) : http://www.pivx.com/larholm/unpatched/
In above site you can also test yourself to See if you are vulnerable or not.

Some of those unpathced attacks are :
Java XMLDSO base tag
delegated SSL authority
CTRL-key file upload focus
FTP Folder View XSS
Self-executing HTML Help
HTML Help ActiveX
IE dot bug
Security zone transfer
script src" local file enumeration
IE https certificate attack

And many others which if you know you won't use IE at all.

[Bohogg]

Scarey......Thanks for the link to pivx.com

[Tedob1]

I checked it, and by default, the setting for download permission for signed ActiveX controls is "Prompt", and the setting for download unsigned ActiveX controls in the "My Computer" zone is "Disable".

What about active scripting and your java permissions?

[lowtone]

and theres always this http://www.antionline.com/showthread...hreadid=233620

[m!thr!l]

The ability to run local exe's gives the hacker the ability to do anything he wants to. Just the ability to run cmd.exe presents unlimited potential for a hacker. He could format your drive, add an account for himself, start vulnerable services, connect over the internet to his system and install "rootkits", you name it and it can be done from the command line.

[hellbringer87]

there's also the ability to read and set clipboard content. if they opened up a frameless window you can track what they have on a persons clipboard... and depending on what they place in their clipboard it could also be quite dangerous....

the exploit:
http://tom.me.uk/clipboard/exploit.html