Stop using back button in Internet Explorer NOW!

[babysimon]

Exploit allows malicious site to execute arbitrary code by showing user 404 and assuming they click "Back".

Sample exploit (executes minesweeper) :

http://www.babysimon.co.uk/iebug.html

As always, Mozilla is available from http://www.mozilla.org/

Comments

[ciphergoth.livejournal.com]

eek!

Where did you hear about this one from?

If you're a Windows user, here's the direct link to the current latest Mozilla download; it's about 9 Mb.

http://download.mozilla.org/pub/mozilla/releases/mozilla0.9.9/mozilla-win32-0.9.9-installer.exe

[sashajwolf.livejournal.com]

Huh?

I may just not be understanding, but only the third link behaves as I'd expect from your post.

The first two give me a 404, but don't run minesweeper when I click back - I just get a blank window with gibberish in the Address box.

The fourth one shows me a Google search screen, and then when I click back, I get a dialog box with complete gibberish.

I'm confused.

[djm4]

Indeed. Here's a link to more information from McAfee, with a link to a patch from Microsoft.

[babysimon]

http://online.securityfocus.com/archive/1/267561

via slashdot (I only read it for the headlines!)

[babysimon]

It's rather dependent on the version of Windows you use, the version of IE, the service packs, etc. I tested it here and it definitely worked - I'm just downloading a smorgasbord of service packs to see if it's fixed.

[elfgeek.livejournal.com]

I've stopped using IE ages ago. The only problem with Mozilla is it doesn't work with the Cisco curriculum site (I can't seem to install Macromedia Flash on Mozilla and Shockwave doesn't work) and for that one and only reason I still have a copy of IE tucked away.

[lovingboth]

Well, your sample doesn't seem to work with IE 5.00.something.something.

That's useful - despite being the version shipped with Win98SE, MS seem to have discontinued support for it, and I don't want to 'upgrade' to 5.5 or 6.0