"Jouko Pynnonen" <joukoat_private> wrote in message > > The flaw has been successfully exploited with Internet Explorer 5.5 and > 6. An IE5 with the latest updates shows the spoofed file name and > extension without a sign of EXE, and issue no Security Warning dialog > after the file download dialog. > VENDOR STATUS > > Microsoft was contacted on November 19th. The company doesn't currently > consider this is a vulnerability; they say that the trust decision should > be based on the file source and not type. The origin of the file, ie. the > web server's hostname can't be spoofed with this flaw. It's not known > whether a patch is going to be produced. Microsoft is currently > investigating the issue. This is interesting, but not surprising. Couple hours ago, we received two copies of the new: W32/BadTrans.B-mm and taking a closer look we found the following: 1. A lot of noise is being made about how the vulnerability that this uses is old, and that many patches, service packs, warnings, other i-worms utilising the vulnerability have come and gone, yet there is wide-scale spreading of this variant today. 2. The two copies we received were from Outlook Express 6.00 mail clients. How can that be? They are not vulnerable to the so-called: audio/x-wav MIME IFRAME Outlook Express vulnerability. 3. What we found was precisely as you describe above, as what was discussed and demonstrated over 12 months ago, and as recent as 3 months ago: http://www.securityfocus.com/bid/3271, and as the vendor continuously claims as above. 4. In the case of Outlook Express 6 [and probably the others, even the patched others], the W32/BadTrans.B-mm uses *.scr or *.pif files [S3MSONG.DOC.scr] 5. We found that a *.scr file incorporated in an IFRAME, does in fact execute after only the single 'open it' or 'save it' attachment warning. There is no second 'SECURITY WARNING', simply accepting the generic attachment warning dialogue runs the *.scr without any other warning. *.exe won't run. Working Example [harmless "windows flower pot" screen saver]: http://www.malware.com/badtranceman.zip This is simple not acceptable. Guaranteed there are generic folk out there who know nothing, and will open that attachment warning out of curiosity, be it that their mail client Outlook Express 5.00 patched, 5.5 patched, 6.00 patched. The current proliferation can surely be based on that [as well]. The warning dialogue is just not good enough for executable file attachments. A clear safety warning must follow the single, simple 'open it' or 'save it' flimsy attachment warning. It is grossly unfair to the clientele this vendor caters to and contributes to the destruction of the internet infrastructure as a whole adding to making it unsafe for everyone. Please don't sell the nice little children shiny bright toys with toxic parts that fall off that they can swallow and then claim they ought to know better and not put it in their mouths. references: http://www.malware.com/carolclickme.html http://www.malware.com/yoko.html side irritational note: there is nothing more pleasurable than scratching out 3/4 of this communication, then having the Windows operating system freeze on you, hard reboot and start all over again. side technical AV note: the W32/BadTrans.B-mm copies received are not actually being sent through/by the mail client. They're in X-Unsent: 1 state which means Message Composition State in Outlook Express, no doubt it's clear to the AV experts it's using it's own SMTP engine but the headers and boundary lines aren't of OE vintage, also each copy arrived with a zero byte *.txt file attachment as well as the payload. It all appears to be a peculiar construction. simple solution: SWITCH OF HTML IN THE EMAIL CLIENT ! --- http://www.malware.com ______________________________________________________________________________ Send a friend your Buddy Card and stay in contact always with Excite Messenger http://messenger.excite.com
This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 12:55:27 PST