Hacker News new | past | comments | ask | show | jobs | submit login

normally docx viruses are simply VBA scripts but sometimes they exploit an active x embed or image rendering bug.

However other times things like browsers do dumb stuff:

docx files and silverlight files are both just zip files with completely different structures meaning they can live together in the same file.

IE used to look at txt files that contained html tags and say hmm maybe i should display that as html

that meant on sites that accepted txt and docx uploads (a lot of recruitment sites etc) you could upload a txt file that simply embed the docx as a silverlight component. When the admin looked at the txt file it would run the code as the currently logged in (admin) user.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: