Re: Fw: [Re: Rather large MSIE-hole] another variant

[Jann Fischer <rezine () criminology de>]

On Fri, 15 Mar 2002 19:50:05 -0800
"madness" <madness () diffusion net> wrote:

> FYI - Norton AV now picks this up.
>
>
> Scan type:  Realtime Protection Scan
> Event:  Virus Found!
> Virus name: XMLid.Exploit
> File:  C:\XXXXX\Local Settings\Temporary Internet
> Files\Content.IE5\C9IVKTMJ\simplebind[1].htm
> Location:  Quarantine
> Computer:  XXXXXX
> User:  XXXXXX
> Action taken:  Clean failed : Quarantine succeeded : Access denied
> Date found: Fri Mar 15 19:46:32 2002
>
> madness.

Indeed the recent Virii Scanner software pick up this bug. Noticed
that the other day too, using some recent version of F-Secure.
Encoding the HTML page into Unicode (UTF-16) will help, i.e.

$ recode latin1..unicode exploit.html

When you now browse this page with IE, the browser will happily
accept the input, render it and execute the code -- the Virii
scanner on the other hand stays calm, as it obviously doesn't
care about Unicode at all. I don't know how and if other Virii
scanners are affected by this "workaround", but I can imagine
others behave similar to it.

-- 
Jann Fischer <rezine () criminology de> :: http://www.mistrust.net/rezine.gpg
FA8C   3663   9906   D8C3   AC16          F7C4   66E0   F351   6D83   9821

Attachment: _bin
Description: