
RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer - twoodfin
https://www.thezdi.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer
======
userbinator
IE is one of the few remaining browsers that still lets you configure settings
on a per-"zone" basis by default, with no need to install additional
extensions to get this IMHO very useful function:

[https://evolpin.files.wordpress.com/2011/11/internet-
zone.pn...](https://evolpin.files.wordpress.com/2011/11/internet-zone.png)

That setting has been there since at least IE5, if I remember correctly; and
it's also one of the things I always disable after a new install too. I think
the fact that Microsoft clearly understood the idea of partitioning sites into
different trust levels, with different levels of security for each, was an
idea ahead of its time. They did not have the "JS is obligatory and you should
trust all sites to run arbitrary code" attitude that unfortunately is
prevalent today.

...then MS comes up with Edge and _removes the feature completely_ , possible
due to those developers with the aforementioned harmful attitude:

[https://answers.microsoft.com/en-
us/insider/forum/all/micros...](https://answers.microsoft.com/en-
us/insider/forum/all/microsoft-edge-site-security-
zones/403c5b72-d0b9-4b8e-a20d-43c53781b0bf)

Edit: did I say something wrong...?

~~~
saagarjha
Firefox has some sort of “profiles” thing, does it not? Can you change
settings per profile?

~~~
JadeNB
Behaviour per _profile_ (loosely speaking, an identity) is different from
behaviour per _zone_ (a site or group of sites).

------
w0mbat
I find “write-what-where” a little clumsy as a term. How about just calling it
“POKE”, like when we were kids writing BASIC?

~~~
saagarjha
Presumably the qualifiers are there to distinguish it from a more limited
write primitive, which can still be quite useful.

~~~
adrianratnapala
But the POKE operation is specifically about writing to a given address. So it
does capture what you are talking about. (Whether it is any clearer than
"write-what-where" I leave as an exercise to the reader).

