[原文]Internet Explorer 5.1 for Macintosh allows remote attackers to bypass security checks and invoke local AppleScripts within a specific HTML element, aka the "Local Applescript Invocation" vulnerability.
A vulnerability has been discovered in MacOS systems running Internet Explorer 5.1 and earlier. MacOS X is not affected by this issue.
File URLs may be used by a malicious webmaster to execute programs on a web user's local system. The exact path to the location of the file must be known. This includes being able to anticipate the name of a particular user's hard drive.
This issue may be exploited to execute "Speakable Items" in MacOS 8 and 9.
This issue may also be exploitable through maliciously crafted HTML-enabled e-mail.
<META HTTP-EQUIV="refresh" CONTENT="1; URL=file:///Macintosh%20HD/System%20Folder/Speakable%20Items/Put%20Computer%20To%20Sleep">
Internet Explorer for Mac contains a flaw that allows a remote attacker to execute arbitrary AppleScript programs on locally accessable file stores. The issue is due to the browser not properly sanitizing user input, specifically traversal style attacks supplied via the file:/// .
Upgrade to Internet Explorer version 5.1.7 for Mac OS 8.1 to 9.x or higher, as it fixes this vulnerability. An upgrade is required as there are no known workarounds.