I understand that the worm is just sitting there in the cache and as long as it does not run it does not become active. I should have been more clear on what I was looking for. My concerns are the following: 1- Although in the cache, a Trojan is sitting there on the file system. I am not comfortable with this idea at all. I see it as a risk. 2- Could a new exploit be developed to run the worm from the cache? 3- It would have been safer to patch IE so that it prompts the user before storing (including caching) any file. I really deslike the idea that "executables" are being downloaded behind the scenes in IE. In general I am not satisfied with the patch. I feel that MS needs to provide a stronger solution. Thanks. --- Lars Gaarden <larsgat_private> wrote: > Jose Romeo Vela wrote: > > I came across something that make me think that IE 5.5 SP2 is still > > vulnerable to NIMDA. > > > > Although, I hardly use IE since I prefer Netscape, I still have IE > on > > my PC. I updated my IE 5.5 to SP2 to avoid the vulnerability and I > > decided to test it. It is my understanding that the patch does not > > automatically store files sent by an exploit such as NIMDA's. I > look at > > my web server logs ( Linux/Apache, It rocks! ) and pick one of the > ip > > address that are tryin to hit me, I opened Netscape with this URL > and I > > get esked if I want to save the readme.eml (as expected). I try the > > same thing with IE 5.5 SP2 and my Anti-virus goes bananas with > > instances of NIMDA in the cache directory. > > > > IE 5.5 SP2 never asked me if I wanted to save the file. Appearently > MS > > in their infinite wisdon, caches the file right away. > > No harm done if IE only caches the object. From my understanding of > the SP2 fix, IE doesn't deny the downloading of the .elm embedded in > the web page - it only fixes the run files with mimetype wav no > questions asked bug. > > So, readme.eml is automatically cached - just like any other web > page, > .gif picture, or any other material you encounter while surfing the > web. > But, it has not been run automatically. The worm is in your web > cache, > but it hasn't been run and your PC has not been infected. > > -- > LarsG > ===== Regards. Jose Romeo Vela jrvelaat_private __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:46:07 PDT