Re: IE 5.5 SP2 incident

[Lars Gaarden <larsg () trustix com>]

Jose Romeo Vela wrote:
> I came across something that make me think that IE 5.5 SP2 is still
> vulnerable to NIMDA.
>
> Although, I hardly use IE since I prefer Netscape, I still have IE on
> my PC. I updated my IE 5.5 to SP2 to avoid the vulnerability and I
> decided to test it. It is my understanding that the patch does not
> automatically store files sent by an exploit such as NIMDA's. I look at
> my web server logs ( Linux/Apache, It rocks! ) and pick one of the ip
> address that are tryin to hit me, I opened Netscape with this URL and I
> get esked if I want to save the readme.eml (as expected). I try the
> same thing with IE 5.5 SP2 and my Anti-virus goes bananas with
> instances of NIMDA in the cache directory.
>
> IE 5.5 SP2 never asked me if I wanted to save the file. Appearently MS
> in their infinite wisdon, caches the file right away. 

No harm done if IE only caches the object. From my understanding of
the SP2 fix, IE doesn't deny the downloading of the .elm embedded in
the web page - it only fixes the run files with mimetype wav no
questions asked bug.

So, readme.eml is automatically cached - just like any other web page,
.gif picture, or any other material you encounter while surfing the web.
But, it has not been run automatically. The worm is in your web cache,
but it hasn't been run and your PC has not been infected.

--
LarsG


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com