Re: MSIE may download and run progams automatically - NOT SO FAST

["http-equiv () excite com" <http-equiv () excite com>]

Saturday, December 15, 2001

"Jouko Pynnonen" <jouko () solutions fi> wrote in message 
  
> VENDOR STATUS
>
> Microsoft was initially contacted on November 19th with the information
> regarding the "file extension spoofing" problem. The Security Warning
> dialogs of IE5 could be bypassed with that exploit, but the "automatically
> start an .exe" variation of the vulnerability wasn't known at the time.
> Microsoft didn't consider the file extension spoofing problem a security
> vulnerability. The company was informed about the new variation on
> November 27th and started working on a patch to correct the flaw. The
> patch is now out and downloadable on Microsoft's site at
>
> http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

She and her beta team forgot about *the* most important Content-Type: 

Clearly what this so-called "patch" does is convert all embedded file types
in MHTML documents viewed in patched Internet Explorer 6 into *.TMP files.
Previously all file types and file names were retained and if accepted would
run.

What that means is when prompted for 'opening or saving', [screen shot:
http://www.malware.com/dumbload.jpg 14KB], if your hand should slip or if
you do not know any better and select 'open', because the file extension is
*.TMP, you will be asked 'what do you want to open the file with' (screen
shot: http://www.malware.com/sesame.jpg 20KB) which does indeed kill any
accidental or running of the file.

Working example:

[open in IE6 "patched"]

http://www.malware.com/badman.zip 11KB

Before the patch and under an MTHML file situated on the web site and viewed
with Internet Explorer 6, you would be in a position to manipulate the file
extension and download box as displayed here: 
[screen shot: http://www.malware.com/ohno.jpg 27KB] 

Now with the so-called "patch", regardless of the filename="malware.exe" or
the Content-Type: image/gif; combination, everything is effectively
converted to a *.TMP file in the Temporary Internet File. Attempting to open
the *.TMP, depending on what it is will either bring up the 'what do you
want to open the file with' box, or display the file as plain text.

Dangerous files such as *.exe or *.scr or *.bat simply will not run if you
elect to run the file through the Internet Explorer 6 patched browser.
Sounds good.

Unfortunately, while she did a fairly reasonable job on this so-called
"patch" she forgot one of the most important content-types. Her very own
invention. The one and only:

Content-Type: application/hta;

We are still able to invoke a download, that if accepted will execute our
malware on the target computer, through the "patched" Internet Explorer 6.

This newly found creation of download file conversion through MHTML to
generic *.TMP file name on the download box coupled with the 'supposed'
security of this so-called "patch" will most definitely yield plenty of
quick prey:

Working Example:

[self explanatory includes harmless *.exe, open in IE6 "patched"]

http://www.malware.com/dumbload.zip 4KB

Notes:

1. We note that this patch has zero effect on Outlook Express 6 and the
ability to "spoof" file names [see: http://www.securityfocus.com/bid/3271].
Coming up 17 months and counting now.
2. Workhorse: Windows 98 and Internet Explorer 6.0.2600 and this so-called
"patch".
3. Seasons Greetings to Everyone. Yeah you too, incompetent slobs.

End Call

---
http://www.malware.com





______________________________________________________________________________
Send a friend your Buddy Card and stay in contact always with Excite Messenger
http://messenger.excite.com