Vulnerability Development mailing list archives
Re: A possible VBS transport?
From: arjen.de.landgraaf () COLOGIC CO NZ (Arjen De Landgraaf)
Date: Mon, 22 May 2000 10:48:15 +1200
There is a warning issued (first alert 27 April) on the possibility of using injected JavaScript in LOWSRC. We have posted an example on our E-Secure-IT site (sorry, a protected site - subscription only) "We originally had this file in word format. However, the script is even executed on the abstract, when we search on this file in E-Secure-IT (HTML content search using Verity). Looks like this is a very powerful, and potentially dangerous vulnerability. Our sample vulnerability example in itself is not dangerous, although it does execute automatically! T his is potentially a very risky vulnerability. Only matter of time before hackers will make use of it somewhere! Turn off the default running of JavaScript in all HTML enabled applications, incl. Browsers and Word! Best regards, Arjen de Landgraaf Co-Logic Corporate E-Security Solutions and Services Auckland, New Zealand www.cologic.co.nz www.e-secure-it.co.nz -----Original Message----- From: Timothy J. Miller [mailto:timothy.miller () AFIWC01 AF MIL] Sent: Saturday, 20 May 2000 01:18 To: VULN-DEV () SECURITYFOCUS COM Subject: A possible VBS transport? I noticed something while screwing around on some web sites last night. One site used a frameset with a null frame, which I've found to be not uncommon. However, when looking at this file (served up dutifully as text/html), it contained a basic HTML header (essentially a BASE HREF tag) and the remainder was binary data that turned out to be a Word 97 document with a script that opened a popup containing a bunch of click-through ads (again, not uncommon). Of course, Word happily renders HTML. Also of course, OLE allows the browser to invoke Office components to display embedded Office files (if you recall the Russian New Year exploit from a couple of years ago). My thinking turns to what could do with any kind of script embedded in this HTML-cum-Word document. Could this be used to transport macro/VBS viruses? It has the potential to evade the user-side decision to open an attachment. Personally, I've never seen this kind of thing before, but I typically keep myself clear of MS-related activities. Has anyone done any work in this regard, or seen anything related? Or am I completely off-base?
Current thread:
- A possible VBS transport? Timothy J. Miller (May 19)
- <Possible follow-ups>
- Re: A possible VBS transport? Arjen De Landgraaf (May 21)