Security hole in Internet Explorer allows attackers to execute arbitrary programs
Aviv Raff has discovered that arbitrary programs can be executed when crafted web pages are printed in Internet Explorer. The vulnerability is based on a cross-zone scripting hole allowing web pages to execute code in the local zone instead of the internet zone. However, user intervention is required.
Raff has created a sample page to demonstrate the hole. The web page calls the Windows computer if the user prints it using the "Print Table of Links" feature. It is irrelevant whether the user allows the execution of active content as warned by IE. heise Security was able to reproduce the behaviour in Windows XP SP2 with all current patches and Internet Explorer 7.
While the vulnerability allows code to be executed under Windows XP, Windows Vista with activated User Account Control (UAC) only allows attackers to spy out information, explains Raff. Older versions may also be affected by the problem. Users are advised to refrain from printing web pages with link tables until Microsoft has released a patch.
- Internet Explorer "Print Table of Links" Cross-Zone Scripting Vulnerability, demonstration of the vulnerability in the milw0rm archive