Re: IE 5.5 SP2 incident

[Jose Romeo Vela <jrvela () yahoo com>]

I understand that the worm is just sitting there in the cache and as
long as it does not run it does not become active. 

I should have been more clear on what I was looking for. My concerns
are the following:

1- Although in the cache, a Trojan is sitting there on the file system.
I am not comfortable with this idea at all. I see it as a risk.

2- Could a new exploit be developed to run the worm from the cache?

3- It would have been safer to patch IE so that it prompts the user
before storing (including caching) any file. I really deslike the idea
that "executables" are being downloaded behind the scenes in IE.

In general I am not satisfied with the patch. I feel that MS needs to
provide a stronger solution. 

Thanks.

--- Lars Gaarden <larsg () trustix com> wrote:
> Jose Romeo Vela wrote:
> > I came across something that make me think that IE 5.5 SP2 is still
> > vulnerable to NIMDA.
> >
> > Although, I hardly use IE since I prefer Netscape, I still have IE
> on
> > my PC. I updated my IE 5.5 to SP2 to avoid the vulnerability and I
> > decided to test it. It is my understanding that the patch does not
> > automatically store files sent by an exploit such as NIMDA's. I
> look at
> > my web server logs ( Linux/Apache, It rocks! ) and pick one of the
> ip
> > address that are tryin to hit me, I opened Netscape with this URL
> and I
> > get esked if I want to save the readme.eml (as expected). I try the
> > same thing with IE 5.5 SP2 and my Anti-virus goes bananas with
> > instances of NIMDA in the cache directory.
> >
> > IE 5.5 SP2 never asked me if I wanted to save the file. Appearently
> MS
> > in their infinite wisdon, caches the file right away. 
>
> No harm done if IE only caches the object. From my understanding of
> the SP2 fix, IE doesn't deny the downloading of the .elm embedded in
> the web page - it only fixes the run files with mimetype wav no
> questions asked bug.
>
> So, readme.eml is automatically cached - just like any other web
> page,
> .gif picture, or any other material you encounter while surfing the
> web.
> But, it has not been run automatically. The worm is in your web
> cache,
> but it hasn't been run and your PC has not been infected.
>
> -- 
> LarsG


=====
Regards.
Jose Romeo Vela

jrvela () yahoo com

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com