Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: How often are IE security holes exploited?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 13 Dec 2002 21:14:44 +1300

"Richard M. Smith" <rms () computerbytesman com> replied to Paul:

Thanks for the reply.  Let me try to clarify things a bit.

I'm most interested in security holes related to IE, ActiveX controls,
and the Microsoft JVM.  Basically things that can be exploited from an
HTML Web page or email message.   As you noted, these kinds of security
holes can be exploited from Outlook, Outlook Express, and Windows Media

OK -- that's pretty much what I assumed in my other answer.

Something like Loveletter didn't use any security holes to run.  It's
probably the best example of social engineering being used to get people
to run a virus/worm by clicking on an attached file.

Well, it is that, but it was so successful because far too many
_corporate_ sites were so mal-administered or mal-managed. 
LoveLetter did not get sent to 350 squillion Email addresses because 
it found that many addresses in home and small business user address 
books.  It got there because it hit a few really large sites (think 
DoD, and the _really big_ corporations -- places with huge GALs and 
that use Outlook).  It took that level of embarrassment (sometimes 
repeated two or three times in teh ensuing month or two) for the 
admins and/or management at many large corporate sites to acknowledge 
that only blocking known viruses coming in, or possibly "known 
viruses plus attachments of one or two extensions that we suspect 
might be the big problem ones" was yet another case of a 
simplistically stupid approach to a complex problem that had only 
started to actually be exploited at that point...

Also does anyone know of an example of a virus or worm that used an IE
security hole that hadn't been seen before?

I forget exactly which offhand (perhaps the first Yaha or something
just before it?) took advantage of the CR-only (or LF-only??) line
break issue, in which many Unix mail servers will incorrectly pass
what should be CRLF line-terminations and are otherwise invalid
characters in standard SMTP traffic.  Several content filter and AV
Email scanner parsers "mis-handled" these messages, missing the
attachments entirely (why these products were not written from the
beginning to "fail closed" has still not been satisfactorily
answered) and passing the bad messages on.  Of course, Outlook
and/or OE "happily" saw the messages as intended and they would
detach and run the atatchments (and of course the users, feeling
"safe" because they knew their Email was scanned for bad things,
happily double-clicked away...).

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]