I’ve posted about IE6 vulnerabilities before. They mostly involved spoofing the address bar, which was in itself dangerous as it allowed scam artists to make their websites be at the address “www.visa.com” or other such honeypot locations. This vulnerability is far worse however: it makes command lines run on the user’s machine. Why is that bad? Because someone can make that command be “del C:\Windows\System32\*.dll” or something equally sensitive, causing Windows to crash… permanently. The solution? Switch browsers; stop using Internet Explorer.
Vulnerability Test
Test Now [Internet Explorer Users Only]
If the test was succesful, you will now have a folder on your C:\ drive called “ie6vulnerability.jmcardle“. This is by far the worst security hole I’ve ever seen. If you wish to run the test multiple times, then please refresh this page before each test. The test requires that you have WindowsXP SP2 & Internet Explorer 6. Disclaimer: You do not have to click any links on this site, including the link to the vulnerability test above. I am not responsible for any consequences to you or your system(s) should you choose to click the aforementioned links. Note: Since I’ve been Slashdotted, I should hand out proper credits. The code I used to base this example was posted on New Order on Jan 5th, as well as on Secunia a few days later. Further Note: It should be stated that Secunia took their code primarily from ShredderSub7.