源程序
$#@60;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"$#@62;
$#@60;HTML$#@62;$#@60;HEAD$#@62;
$#@60;META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type$#@62;
$#@60;META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR$#@62;
$#@60;STYLE$#@62;$#@60;/STYLE$#@62;
$#@60;/HEAD$#@62;
$#@60;BODY bgColor=3D#ffffff$#@62;
$#@60;DIV$#@62;$#@60;FONT face=3DArial$#@62;
$#@60;DIV$#@62;$#@60;FONT face=3DArial$#@62; 我建立自己的NewsBug=20
approximately 2-3 months ago but never did anything further with it as I =
have a=20
lot of other projects I am working on. I reported this to MS on Feb 17 =
while=20
attending the W2K launch; but havent heard anything from them=20
since. Basically what it is : a web page or an email =
that when=20
viewed in Outlook (all versions 4.0 and up) and Netscape all versions =
4.0 and up=20
that have been set up and are the default email and news reader. =
with=20
JavaScript and html view enabled. When the web page is viewed it =
opens up=20
OE or NS and starts making bogus news group file entries, it doesnt =
subscribe=20
to them cause they dont exist; but it forces the user to manually =
delete them.=20
to view a POC go to: $#@60;A=20
href=3D"http://www.zoomnet.net/~quick/error/newsbug.html"$#@62;http://www.zoom=
net.net/~quick/error/newsbug.html$#@60;/A$#@62;$#@60;/FONT$#@62;$#@60;/DIV$#@62;
$#@60;DIV$#@62; $#@60;/DIV$#@62;
$#@60;DIV$#@62;$#@60;FONT face=3DArial$#@62;During testing in approximately 50% of the time =
OE would=20
crash before it can be stopped, and when OE is opened back up instead of =
it=20
coming up and saying OE wasnt shut down properly and the page is not =
being=20
showed because of possible security concerns, doesnt come up; but =
instead when=20
OE is rebooted it comes back up and starts making them all over again, =
well that=20
is if they have it set with the preview pane option enabled and the =
order of the=20
messages is to show the newest one at the bottom.$#@60;/FONT$#@62;$#@60;/DIV$#@62;
$#@60;DIV$#@62; $#@60;/DIV$#@62;
$#@60;DIV$#@62;$#@60;FONT face=3DArial$#@62;For it to work in email it requires an =
additional file and=20
if you wish to see a poc of it used in email then send me an email =
authorizing=20
me to send it to you; because I am not in the habit of sending =
unsolicited=20
malicious code through email.$#@60;/FONT$#@62;$#@60;/DIV$#@62;
$#@60;DIV$#@62; $#@60;/DIV$#@62;
$#@60;DIV$#@62;$#@60;FONT face=3DArial$#@62;Fix: NO known fix$#@60;/FONT$#@62;$#@60;/DIV$#@62;
$#@60;DIV$#@62;$#@60;FONT face=3DArial$#@62;Work around: Disable =
JavaScript$#@60;/FONT$#@62;$#@60;/DIV$#@62;
$#@60;DIV$#@62; $#@60;/DIV$#@62;
$#@60;DIV$#@62;$#@60;FONT face=3DArial$#@62; This next one, I am not sure if it =
is already=20
known or not, it is sort of like Georgi Guninskis word pad code =
execution but=20
it uses a .shs (scrap file). It is possible to create a .shs file =
that=20
contains executable code then when run outside of word, will execute the =
code=20
without opening word. I only mention it because a lot of casual =
users are=20
not familure with the file extension and might run it because the icon =
looks=20
未完待续
相关文章