Thursday, 19 April, 2001 There is an interesting oddity with the 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed) on Windows 98 with downloading files. In particular *.exe. While the array of file type associations and instructions what to do with them is wide, the instruction set for *.exe simply does not stick. Normally when executing a file download, the security warning box is invoked asking whether you wish to 'open or save' -- this is default. Also, as it should be, the ability to uncheck-mark the security warning box is greyed out. However if you select open, the file association settings seem to automatically register 'open with default application' instead of reverting to 'show download dialog'. Naturally, thereafter any file download is automatically opened. Simply put: http://opera.online.no/win/ow32enen510.exe will (should) invoke the security warning download dialog (screen shot: http://www.malware.com/foopera.jpg 31KB) But because we intend to install from the trusted source, we select 'open file' in order to install, thereafter the file association settings seem to register themselves to always 'open with default application' for an *.exe and naturally when we go to: [working example: harmless *.exe automatically launched] http://www.malware.com/fauxpera.html simply viewing the page or clicking on the link automatically runs our *.exe Once again: test vehicle 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed) on Windows 98 Additionally we can crash it extremely hard with simple, yet unorthodox JavaScripting squeezed into a shockwave file: custom create a shockwave file (*.swf), select the interactive text or button and force into the href field: javascript:document.location="*.xbm?<script>alert()</script> simply add <img src="malware.xbm"> -- what happens is Opera locates the *.xbm (we use an obscure file to ensure no others are likely to be in the cache) and views it automatically from the cache (note: without the need for a name): (screen shot: http://www.malware.com/bar.jpg 25KB) and the simple alert() then tries to fire from within the cache resulting in: OPERA caused an invalid page fault in module OPERA.EXE at 015f:004e2b1a. Registers: EAX=00fcc0f0 CS=015f EIP=004e2b1a EFLGS=00010206 EBX=017855fc SS=0167 ESP=0084e530 EBP=0084e54c ECX=00580038 DS=0167 ESI=01f701c3 FS=0e87 EDX=00007470 ES=0167 EDI=00000000 GS=0000 Bytes at CS:EIP: 80 3e 00 74 19 56 e8 eb 6e 05 00 40 50 e8 cf 6d Stack dump: 00000000 00fcc110 00455f8a 01f701c3 0058002c 01785c40 01ee3f90 0084e570 00455e4f 00000002 00000001 0058002c 01f701c3 00000000 00000000 017856a0 IMPORTANT NOTES: 1. Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed) 2. In the 10 days from today's date since the download and installation of the 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed), the manufacturer http://www.opera.com has since come out with a newer version: Opera 5.10 Build 902 which doesn't appear to be affected at all. 3. There also doesn't appear to be any mention of the above findings anywhere for 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed) on Windows 98 4. Suggest to test your version/configuration and upgrade if affected 5. This all may very well be a unique combination system configuration problem One More Time: Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed) --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 20:30:48 PDT