Security Incidents mailing list archives
Re: IE 5.5 SP2 incident
From: Jose Romeo Vela <jrvela () yahoo com>
Date: Mon, 24 Sep 2001 08:39:17 -0700 (PDT)
I understand that the worm is just sitting there in the cache and as long as it does not run it does not become active. I should have been more clear on what I was looking for. My concerns are the following: 1- Although in the cache, a Trojan is sitting there on the file system. I am not comfortable with this idea at all. I see it as a risk. 2- Could a new exploit be developed to run the worm from the cache? 3- It would have been safer to patch IE so that it prompts the user before storing (including caching) any file. I really deslike the idea that "executables" are being downloaded behind the scenes in IE. In general I am not satisfied with the patch. I feel that MS needs to provide a stronger solution. Thanks. --- Lars Gaarden <larsg () trustix com> wrote:
Jose Romeo Vela wrote:I came across something that make me think that IE 5.5 SP2 is still vulnerable to NIMDA. Although, I hardly use IE since I prefer Netscape, I still have IEonmy PC. I updated my IE 5.5 to SP2 to avoid the vulnerability and I decided to test it. It is my understanding that the patch does not automatically store files sent by an exploit such as NIMDA's. Ilook atmy web server logs ( Linux/Apache, It rocks! ) and pick one of theipaddress that are tryin to hit me, I opened Netscape with this URLand Iget esked if I want to save the readme.eml (as expected). I try the same thing with IE 5.5 SP2 and my Anti-virus goes bananas with instances of NIMDA in the cache directory. IE 5.5 SP2 never asked me if I wanted to save the file. AppearentlyMSin their infinite wisdon, caches the file right away.No harm done if IE only caches the object. From my understanding of the SP2 fix, IE doesn't deny the downloading of the .elm embedded in the web page - it only fixes the run files with mimetype wav no questions asked bug. So, readme.eml is automatically cached - just like any other web page, .gif picture, or any other material you encounter while surfing the web. But, it has not been run automatically. The worm is in your web cache, but it hasn't been run and your PC has not been infected. -- LarsG
===== Regards. Jose Romeo Vela jrvela () yahoo com __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IE 5.5 SP2 incident Jose Romeo Vela (Sep 21)
- Re: IE 5.5 SP2 incident Lars Gaarden (Sep 24)
- Re: IE 5.5 SP2 incident Jose Romeo Vela (Sep 24)
- Re: IE 5.5 SP2 incident Lars Gaarden (Sep 24)