Who framed Internet Explorer
by Volker Weber
We discovered that it is possible for an attacker to execute script on any page that contains <frame> or <iframe> elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine (script in the "My Computer" zone).
To give you a little demonstation what an iframe is, look at your files on my website. If this window is empty, you are not using Internet Explorer 5 (and "better"):
Comments
Daß mir mein Browser meine Daten anzeigt ist erstmal kein Problem für mich, insoweit ist dieses Script erstmal nichts wildes. Allerdings sollte man das die Option "Programme und Dateien in einem Iframe starten" tatsächlich deaktivieren, um einen blinden Scriptaufruf in den iframe hinein von der externen Domäne zu verhindern.
Jens
