Home page logo

bugtraq logo Bugtraq mailing list archives

W32/BadTrans.B-mm [Was: File extensions spoofable in MSIE download dialog]
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Mon, 26 Nov 2001 20:45:10 -0800 (PST)

"Jouko Pynnonen" <jouko () solutions fi> wrote in message > 

The flaw has been successfully exploited with Internet Explorer 5.5 and
6. An IE5 with the latest updates shows the spoofed file name and
extension without a sign of EXE, and issue no Security Warning dialog
after the file download dialog.


Microsoft was contacted on November 19th. The company doesn't currently
consider this is a vulnerability; they say that the trust decision should
be based on the file source and not type. The origin of the file, ie. the
web server's hostname can't be spoofed with this flaw. It's not known
whether a patch is going to be produced. Microsoft is currently
investigating the issue.

This is interesting, but not surprising. Couple hours ago, we received two
copies of the new: W32/BadTrans.B-mm and taking a closer look we found the

1. A lot of noise is being made about how the vulnerability that this uses
is old, and that many patches, service packs, warnings, other i-worms
utilising the vulnerability have come and gone, yet there is wide-scale
spreading of this variant today.

2. The two copies we received were from Outlook Express 6.00 mail clients.
How can that be? They are not vulnerable to the so-called: audio/x-wav MIME
IFRAME Outlook Express vulnerability.

3. What we found was precisely as you describe above, as what was discussed
and demonstrated over 12 months ago, and as recent as 3 months ago:
http://www.securityfocus.com/bid/3271, and as the vendor continuously claims
as above.

4. In the case of Outlook Express 6 [and probably the others, even the
patched others], the W32/BadTrans.B-mm uses *.scr or *.pif files

5. We found that a *.scr file incorporated in an IFRAME, does in fact
execute after only the single 'open it' or 'save it' attachment warning.
There is no second 'SECURITY WARNING', simply accepting the generic
attachment warning dialogue runs the *.scr without any other warning. *.exe
won't run.

Working Example [harmless "windows flower pot" screen saver]:


This is simple not acceptable. Guaranteed there are generic folk out there
who know nothing, and will open that attachment warning out of curiosity, be
it that their mail client Outlook Express 5.00 patched, 5.5 patched, 6.00
patched. The current proliferation can surely be based on that [as well].

The warning dialogue is just not good enough for executable file
attachments. A clear safety warning must follow the single, simple 'open it'
or 'save it' flimsy attachment warning. It is grossly unfair to the
clientele this vendor caters to and contributes to the destruction of the
internet infrastructure as a whole adding to making it unsafe for everyone. 

Please don't sell the nice little children shiny bright toys with toxic
parts that fall off that they can swallow and then claim they ought to know
better and not put it in their mouths.



side irritational note: there is nothing more pleasurable than scratching
out 3/4 of this communication, then having the Windows operating system
freeze on you, hard reboot and start all over again.

side technical AV note: the W32/BadTrans.B-mm copies received are not
actually being sent through/by the mail client. They're in X-Unsent: 1 state
which means Message Composition State in Outlook Express, no doubt it's
clear to the AV experts it's using it's own SMTP engine but the headers and
boundary lines aren't of OE vintage, also each copy arrived with a zero byte
*.txt file attachment as well as the payload. It all appears to be a
peculiar construction.



Send a friend your Buddy Card and stay in contact always with Excite Messenger

  By Date           By Thread  

Current thread:
  • W32/BadTrans.B-mm [Was: File extensions spoofable in MSIE download dialog] http-equiv () excite com (Nov 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]