Full Disclosure mailing list archives
RE: Xmas virus on the cards ?
From: Jay Libove <libove () felines org>
Date: Thu, 18 Dec 2003 08:54:54 -0500
This seems to take advantage of an IE 6.0 (prior to Windows XP SP2) "feature"... http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/monik er/overview/appendix_a.asp In short, when IE is NOT given any other hints as to the type of content of a particular link - that is, the link does not come from <A IMG...> or an HTML email message with MIME type information in it, but simply is pointed right at http://foo.com/I_am_not_really_an_image.JPG - IE will evaluate the header bytes of the object, a la the UNIX "file" command, and if it is one of I think 28 formats that IE can puzzle out, IE will "helpfully" launch it with the "correct" handler application. This is clearly taking "serve pedantically, accept openly" waaaay too far. Actually, even Microsoft realizes this. Our named MS support rep told me that XP SP2 will address this. I hope he means that it will totally remove this Bad Idea(TM) from IE, but only time will tell that. Simple example, put up a copy of something_innocuous.exe and label it something_innocuous.jpg and then point your web browse straight at http://the.host/something_innocuous.jpg. It won't appear as a broken JPG image - it will ask you if you want to open or save the executable... -Jay Libove, CISSP -----Original Message----- From: security squirrel [mailto:secsquirrel () lycos com] Sent: Thursday, December 18, 2003 7:59 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Xmas virus on the cards ? Hi all - I noticed this article at http://www.vnunet.com/News/1151553 and it looks alarming - however did not find any more details. If I understand well an HTML file is renamed to JPG and attached to an email. However I did not manage to reproduce this. This is my summary of the article: 1. xmas card emails to LEAD to innocent images which are not images but have viruses 2. Mail Filtering systems should handle images just like HTML files + educate 3. ISS reports that this was on a hacker mailing list 4. techniques to bypass firewalls by MISLABELLING html files as JPGs 5. Steven Darrall is a senior consultant at ISS X-Force Security Assessment Services 6. The problem is caused by Microsoft's Internet Explorer (IE) web browser automatically opening files labelled with .jpg or .gif extensions. 7. Hackers have posted a proof-of-concept file in which the content was a script that caused the browser to download and install a virus according to Darrall 8. The site serving the virus has since been shut down Is the image and attachment or is it simply a link to a .jpg file on an HTTP server? Did anyone manage to reproduce this or can point to the original post on the "hacker mailing list" which describes this? - Sec-Squirrel :) ____________________________________________________________ Free Poetry Contest. Win $10,000. Submit your poem @ Poetry.com! http://ad.doubleclick.net/clk;6750922;3807821;l?http://www.poetry.com/contes t/contest.asp?Suite=A59101 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Xmas virus on the cards ? security squirrel (Dec 18)
- Re: [Full-Disc]: Xmas virus on the cards ? Anders (Dec 18)
- <Possible follow-ups>
- Xmas virus on the cards ? security squirrel (Dec 18)
- RE: Xmas virus on the cards ? Jay Libove (Dec 18)
- RE: Xmas virus on the cards ? Schmehl, Paul L (Dec 18)
- RE: Xmas virus on the cards ? security squirrel (Dec 18)