Vulnerability Development mailing list archives
Re: Fw: [Re: Rather large MSIE-hole] another variant
From: Jann Fischer <rezine () criminology de>
Date: Sat, 16 Mar 2002 12:26:32 +0100
On Fri, 15 Mar 2002 19:50:05 -0800 "madness" <madness () diffusion net> wrote:
FYI - Norton AV now picks this up. Scan type: Realtime Protection Scan Event: Virus Found! Virus name: XMLid.Exploit File: C:\XXXXX\Local Settings\Temporary Internet Files\Content.IE5\C9IVKTMJ\simplebind[1].htm Location: Quarantine Computer: XXXXXX User: XXXXXX Action taken: Clean failed : Quarantine succeeded : Access denied Date found: Fri Mar 15 19:46:32 2002 madness.
Indeed the recent Virii Scanner software pick up this bug. Noticed that the other day too, using some recent version of F-Secure. Encoding the HTML page into Unicode (UTF-16) will help, i.e. $ recode latin1..unicode exploit.html When you now browse this page with IE, the browser will happily accept the input, render it and execute the code -- the Virii scanner on the other hand stays calm, as it obviously doesn't care about Unicode at all. I don't know how and if other Virii scanners are affected by this "workaround", but I can imagine others behave similar to it. -- Jann Fischer <rezine () criminology de> :: http://www.mistrust.net/rezine.gpg FA8C 3663 9906 D8C3 AC16 F7C4 66E0 F351 6D83 9821
Attachment:
_bin
Description:
Current thread:
- Fw: [Re: Rather large MSIE-hole] another variant madness (Mar 15)
- Re: [Re: Rather large MSIE-hole] another variant Felipe Franciosi (Mar 16)
- Re: Fw: [Re: Rather large MSIE-hole] another variant Jann Fischer (Mar 16)