IE "Local JavaScript" security hole

-Bennett Haselton,

News sightings: C-Net | NewsBytes

See also:
JavaScript-in-cookies security hole
Eudora "stealth attachment" demo page

This page demonstrates a security hole in Internet Explorer 5.x. However, the exploit will only work if you have Netscape Communicator 4.x installed and are using a profile named "default". So you have to have Netscape Communicator installed, but you have to be using IE to view the "demo page". (It would not be hard to trick an unsuspecting Netscape user into viewing a particular page with IE, since all Windows 98 users have IE on their computers anyway, and some pages say that they simply will not work unless you view them with a particular browser.)

To view the demo,

The demonstration will not work, and will not do anything, period if your user Netscape user preferences file is not located at
C:\Program Files\Netscape\Users\default\prefs.js
or if you view the above link in a browser other than Internet Explorer for Windows.