Comment by shakna
3 hours ago
It doesn't only work with protocols registered by "your system" - Notepad doesn't register protocols. And Notepad is the user agent, here.
It works with your _locally_ registered protocols, not just the _remote_ protocols.
Which is why it works with JScript. And Powershell. And Visual Basic.
This is a bug that replicates why IE 4 was called insecure. Its not something that should ever surface again, today.
It is... The exact example of what an RCE is. _Local_ code executed by a _remote_ command.
No comments yet
Contribute on Hacker News ↗