Re: A possible VBS transport?

[arjen.de.landgraaf () COLOGIC CO NZ (Arjen De Landgraaf)]

There is a warning issued (first alert 27 April) on the possibility of
using injected JavaScript in LOWSRC.
We have posted an example on our E-Secure-IT site (sorry, a protected
site - subscription only)

"We originally had this file in word format. However, the script is even
executed on the
abstract, when we search on this file in E-Secure-IT (HTML content
search using Verity).
Looks like this is a very powerful, and potentially dangerous
vulnerability.
Our sample vulnerability example in itself is not dangerous, although it
does execute automatically! T
his is potentially a very risky vulnerability. Only matter of time
before hackers will make use of it
somewhere! Turn off the default running of JavaScript in all HTML
enabled applications, incl. Browsers and Word!

Best regards,
Arjen de Landgraaf
Co-Logic
Corporate E-Security Solutions and Services
Auckland, New Zealand
www.cologic.co.nz
www.e-secure-it.co.nz

-----Original Message-----
From: Timothy J. Miller [mailto:timothy.miller () AFIWC01 AF MIL]
Sent: Saturday, 20 May 2000 01:18
To: VULN-DEV () SECURITYFOCUS COM
Subject: A possible VBS transport?

I noticed something while screwing around on some web sites last
night.

One site used a frameset with a null frame, which I've found to be not
uncommon.  However, when looking at this file (served up dutifully as
text/html), it contained a basic HTML header (essentially a BASE HREF
tag) and the remainder was binary data that turned out to be a Word 97
document with a script that opened a popup containing a bunch of
click-through ads (again, not uncommon).

Of course, Word happily renders HTML.  Also of course, OLE allows the
browser to invoke Office components to display embedded Office files
(if you recall the Russian New Year exploit from a couple of years
ago).

My thinking turns to what could do with any kind of script embedded in
this HTML-cum-Word document.  Could this be used to transport
macro/VBS viruses?  It has the potential to evade the user-side
decision to open an attachment.  Personally, I've never seen this kind
of thing before, but I typically keep myself clear of MS-related
activities.

Has anyone done any work in this regard, or seen anything related?  Or
am I completely off-base?