HTML Application files can cause trouble for IE users

About a week ago, Jeffrey van der Stad, a Dutch Web developer, stumbled upon a security vulnerability involving the way Internet Explorer (IE) 6 handles HTML Applications (HTAs). According to van der Stad's post, a malicious Web site can force IE to download and run a malicious HTA file without any user interaction. By enticing you to a Web site prepared with a boobytrapped HTA file, an attacker can exploit this flaw to execute code on your computer with your privileges, potentially gaining complete control of your system.

HTAs are executable Windows applications written using the same programming languages that Web sites use (languages like HTML, DHTML, Javascript, CSS, etc.). In other words, HTAs are a lot like locally executable Web pages, with one primary exception. Unlike theWeb pages you visit on the Internet, HTA files execute with no security restrictions... WatchGuard Wire

Linked by shanmuga Wednesday, 22nd March 2006 12:42AM