Re: [Bradley Chapman <eaglebtc () byu edu>] Timothy McVeigh "video" linklures IRC users to install sub7

[Gary Flynn <flynngn () jmu edu>]

> The page itself is blank.  After about 2 seconds, it forwards to an email
> link at:
>
> http://www.concentric.net/~1horizon/unknown.eml

The pages appear to be unavailable now.

This may be coincidental but EML MIME types are the basis for exploits
for the bug described in:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

There have been exploits available for some time that are pathetically
easy to use. If a vulnerable browser visits a web site, any file can
be dropped on the vulnerable client without notification or user
action.

http://www.kriptopolis.com/cua/eml.html

The original poster indicated he opened the .eml file in Outlook Express.
If he has a vulnerable version of IE, it is possible that his computer
had the update.exe file dropped on it somewhere, probably the startup
folder, even though he didn't click on an attachment.

I've been expecting something bad to come from this for some time.

http://www.jmu.edu/computing/info-security/engineering/issues/iemime.shtml

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature