Bugtraq mailing list archives
RE: Still Vulnerable in MSIE
From: "Drew Copley" <dcopley () eeye com>
Date: Mon, 17 May 2004 11:38:24 -0700
-----Original Message----- From: Thor Larholm [mailto:thor () pivx com] Sent: Friday, May 14, 2004 3:45 PM To: Greg Kujawa; bugtraq () securityfocus com Subject: RE: Still Vulnerable in MSIE
<snip>
which uses the Object Data vulnerability to change your startpage to http://default-homepage-network.com/start.cgi?hkcu
Bastards, watching my work. (reference) http://www.eeye.com/html/Research/Advisories/AD20030820.html <snip>
Other files that are attempted to be delivered are http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe http://validation-required.info/
Money shot there. "validation-required.info" is the same site used by that phishing attack I just posted on. http://www.securityfocus.com/archive/1/363350/2004-05-14/2004-05-20/1 [ ISP Organization Information ] Org Name : Enterprise Networks Service Name : ENTERPRISENET Org Address : GNG IDC B/D, 343-1 Yhatap-dong, Pundang-gu, Seongnam [ ISP IP Admin Contact Information ] Name : Hyo-Sun, Chang Phone : +82-2-2105-6082 Fax : +82-2-2105-6100 E-Mail : ip () epnetworks co kr The traceback on the email we received was to a BT British system, likely hacked... and as I have noted the same source code was posted on an Italian board in Italian with an Italian email address in December. (Not that the attacker was necessarily the same person or if he was, that he is Italian. Further, often these things are not done by lone individuals. Though they are simple enough to be done by lone individuals. Only smart criminals work by themselves. And, criminal tend to not be so smart until they retire.)
http://www.popmoney.net/ip/index.php http://www.portalone.hostance.com.com/italia.exe Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: Greg Kujawa [mailto:greg.kujawa () diamondcellar com] Sent: Friday, May 14, 2004 7:37 AM To: bugtraq () securityfocus com Subject: Still Vulnerable in MSIE With the latest vendor AV definitions and all of the Microsoft Security Updates my MSIE 6 application still was vulnerable to some apparent cross-site scripting exploit. I was hit with one of the many Agobot variants when exiting a site detailing some IE vulnerabilities (http://www.hnc3k.com). The site exit led to a series of pop-up and pop-under ads. All of these site redirects apparently resulted in a www2.flingstone.com site dropping in a infamous.exe file onto my computer. All the while I saw no prompts to download or execute anything whatsoever. All I did was close the windows that were coming up. Just an FYI since even the latest updates on all fronts cannot ensure peace of mind.
Current thread:
- Still Vulnerable in MSIE Greg Kujawa (May 14)
- <Possible follow-ups>
- RE: Still Vulnerable in MSIE Thor Larholm (May 15)
- RE: Still Vulnerable in MSIE Drew Copley (May 17)