Full Disclosure mailing list archives
Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 09 Sep 2003 17:23:21 +1200
ADBecker () chmortgage com replied to GreyMagic to "http-equiv":
The patch for Drew's object data=funky.hta doesn't work:This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which explains the problem in detail. Microsoft again patches the object element in HTML, but it doesn't patch the dynamic version of that same element.1. Disable Active ScriptingThis actually means that no scripting is needed at all in order to exploit this amazingly critical vulnerability: <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec"> <security> <exploit> <![CDATA[ <object data=x.asp></object> ]]> </exploit> </security> </xml> Ouch.Updated antivirus software should catch this exploit and prevent any application from being launched. ...
Really? I was not aware that most (or any) typically deployed AV s/w interdicts itself between the web browser and browsed sites. To reliably detect Object Data Tag exploits that would be necessary, as exploiting this vulnerability depends on "properly formed" HTML requesting a remote resource that is then provided with an "unexpected" type (as indicated in the HTTP protocol reply headers). It is this mismatch of the types that is the problem as the initial (HTML) parser has already decided (based on the apparent filename of the resource) that the type is "safe" to execute but there is no secondary check that the type returned by the server actually matches the expected type. If your scanner is detecting anything, the odds are extremely high that it will be the code of a specific exploit, rather than generic exploit code as there really is no such thing in this case.
... We have McAfee VirusScan 7 Ent. which caught both exploit examples at http://greymagic.com/adv/gm001-ie/
Hmmmmmm -- if what you meant was simply that your scanner detects both of the exploits linked from GreyMagic's page, I suspect that you have too much blind faith in your scanner. When GreyMagic said "This is the exact same issue as ..." he did not mean that it is the same exploit. He did not even mean that the same exploit mechanism was at work. That means scanners that detect his PoC exploits will not (with the same detection code) detect exploits of this new problem. What he meant was that the exact same slothful and incomplete analysis of the problem by Microsoft as led to his exposure of flaws in a previous IE patch are at work in producing the exact same kind of flawed patch here. ... Further, _if_ your virus scanner detects the PoC exploits http-equiv has posted, don't sit back content in the "knowledge" that your scanner will save you from the next "in the wild" exploit of this vulnerability to fly past your Email scanners. In such cases the odds are exceptionally high that your scanner is _not_ detecting an attempt to exploit the vulnerability but is simply detecting the "decode, drop and execute an EXE file from an HTML-embedded script" code from the script that runs as a result of the vulnerability already having been exploited. Whilst it is true that many skiddies and some spammers are far too untalented to come up with new encoding/decoding schemes that will "slip past" most virus scanners (until their next updates add detection of each new, specific method), not all those who would use exploits of MS03-032 against you are that lame. You would be much better off to, as Drew Copley posted earlier today to Bugtraq and some other lists, implement blocking of anything supplied as application/hta type at a firewall or web proxy, or locally on every Windows client by butchering the application/hta settings under: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type Drew's message is archived at the following for those wishing to read it in its entirety: http://www.securityfocus.com/archive/1/336625 -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032, (continued)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 morning_wood (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Fabio Gomes de Souza (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick Jacobsen (Sep 07)
- FW: BAD NEWS: Microsoft Security Bulletin MS03-032 Richard M. Smith (Sep 07)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thomas Kristensen (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thor Larholm (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 09)
- (Patch Updated) Microsoft Security Bulletin MS03-032 Jim (Sep 09)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 12)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Dimitri Limanovski (Sep 10)