Home page logo
/

bugtraq logo Bugtraq mailing list archives

W32/BadTrans.B-mm [Was: File extensions spoofable in MSIE download dialog]
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Mon, 26 Nov 2001 20:45:10 -0800 (PST)

"Jouko Pynnonen" <jouko () solutions fi> wrote in message > 

 
The flaw has been successfully exploited with Internet Explorer 5.5 and
6. An IE5 with the latest updates shows the spoofed file name and
extension without a sign of EXE, and issue no Security Warning dialog
after the file download dialog.

 
VENDOR STATUS

Microsoft was contacted on November 19th. The company doesn't currently
consider this is a vulnerability; they say that the trust decision should
be based on the file source and not type. The origin of the file, ie. the
web server's hostname can't be spoofed with this flaw. It's not known
whether a patch is going to be produced. Microsoft is currently
investigating the issue.

This is interesting, but not surprising. Couple hours ago, we received two
copies of the new: W32/BadTrans.B-mm and taking a closer look we found the
following:

1. A lot of noise is being made about how the vulnerability that this uses
is old, and that many patches, service packs, warnings, other i-worms
utilising the vulnerability have come and gone, yet there is wide-scale
spreading of this variant today.

2. The two copies we received were from Outlook Express 6.00 mail clients.
How can that be? They are not vulnerable to the so-called: audio/x-wav MIME
IFRAME Outlook Express vulnerability.

3. What we found was precisely as you describe above, as what was discussed
and demonstrated over 12 months ago, and as recent as 3 months ago:
http://www.securityfocus.com/bid/3271, and as the vendor continuously claims
as above.

4. In the case of Outlook Express 6 [and probably the others, even the
patched others], the W32/BadTrans.B-mm uses *.scr or *.pif files
[S3MSONG.DOC.scr]

5. We found that a *.scr file incorporated in an IFRAME, does in fact
execute after only the single 'open it' or 'save it' attachment warning.
There is no second 'SECURITY WARNING', simply accepting the generic
attachment warning dialogue runs the *.scr without any other warning. *.exe
won't run.

Working Example [harmless "windows flower pot" screen saver]:

http://www.malware.com/badtranceman.zip

This is simple not acceptable. Guaranteed there are generic folk out there
who know nothing, and will open that attachment warning out of curiosity, be
it that their mail client Outlook Express 5.00 patched, 5.5 patched, 6.00
patched. The current proliferation can surely be based on that [as well].

The warning dialogue is just not good enough for executable file
attachments. A clear safety warning must follow the single, simple 'open it'
or 'save it' flimsy attachment warning. It is grossly unfair to the
clientele this vendor caters to and contributes to the destruction of the
internet infrastructure as a whole adding to making it unsafe for everyone. 

Please don't sell the nice little children shiny bright toys with toxic
parts that fall off that they can swallow and then claim they ought to know
better and not put it in their mouths.

references:

http://www.malware.com/carolclickme.html
http://www.malware.com/yoko.html
 

side irritational note: there is nothing more pleasurable than scratching
out 3/4 of this communication, then having the Windows operating system
freeze on you, hard reboot and start all over again.

side technical AV note: the W32/BadTrans.B-mm copies received are not
actually being sent through/by the mail client. They're in X-Unsent: 1 state
which means Message Composition State in Outlook Express, no doubt it's
clear to the AV experts it's using it's own SMTP engine but the headers and
boundary lines aren't of OE vintage, also each copy arrived with a zero byte
*.txt file attachment as well as the payload. It all appears to be a
peculiar construction.

simple solution: SWITCH OF HTML IN THE EMAIL CLIENT !


---
http://www.malware.com





______________________________________________________________________________
Send a friend your Buddy Card and stay in contact always with Excite Messenger
http://messenger.excite.com



  By Date           By Thread  

Current thread:
  • W32/BadTrans.B-mm [Was: File extensions spoofable in MSIE download dialog] http-equiv () excite com (Nov 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]