BugTraq
RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Sep 08 2003 07:16PM
ADBecker chmortgage com (2 replies)
Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Sep 09 2003 05:23AM
Nick FitzGerald (nick virus-l demon co uk)
RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Sep 08 2003 09:55PM
Drew Copley (dcopley eeye com) (1 replies)
Some AV will catch these because of malware's exploit code which he has
reused. Some AV will catch this because of greymagic's exploit code. Which
is all fine and good, a bit like a magic trick. Yes, the demonstration
exploit is caught... But the worm or trojan exploit someone maliciously
sends to your system -- this won't be caught.

The only sure way to detect this, I already wrote about [to Bugtraq]. That
is by setting a firewall rule which blocks the dangerous mimetype string
[Content-Type: application/hta]. Everything else in the exploit can change.

But, why merely detect it and risk encoded and other types of AV/IDS/IPS
evading techniques? Why not just do this fix? I think, ultimately, it
depends on how safe you want to be. Some people do not mind having their
systems be at risk. That is their choice.

> -----Original Message-----
> From: ADBecker (at) chmortgage (dot) com [email concealed] [mailto:ADBecker (at) chmortgage (dot) com [email concealed]]
> Sent: Monday, September 08, 2003 12:17 PM
> To: GreyMagic Software
> Cc: Bugtraq; full-disclosure (at) lists.netsys (dot) com [email concealed];
> http-equiv (at) excite (dot) com [email concealed]; NTBugtraq; Microsoft Security Response
> Center; vulnwatch (at) vulnwatch (dot) org [email concealed]
> Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
>
>
>
>
>
>
>
> Updated antivirus software should catch this exploit and
> prevent any application from being launched. We have McAfee
> VirusScan 7 Ent. which caught both exploit examples at
> http://greymagic.com/adv/gm001-ie/
>
> Andrew Becker
> C.H. Mortgage, D.R. Horton
> Phoenix IT/MIS Department
> Phone: (866) 639-7305
> Fax: (480) 607-5383
>
>
>
>
>
> "GreyMagic
>
>
> Software" To:
> "NTBugtraq" <NTBUGTRAQ (at) LISTSERV.NTBUGTRAQ (dot) COM [email concealed]>, "Bugtraq"
>
> <security@greymag
> <bugtraq (at) securityfocus (dot) com [email concealed]>,
> <full-disclosure (at) lists.netsys (dot) com [email concealed]>,
> ic.com>
> <vulnwatch (at) vulnwatch (dot) org [email concealed]>
>
> cc:
> <http-equiv (at) excite (dot) com [email concealed]>, "Microsoft Security Response Center"
>
> 09/08/03 07:52 AM
> <secure (at) microsoft (dot) com [email concealed]>, (bcc: Andrew D Becker/Continental
> Homes)
> Subject: RE:
> BAD NEWS: Microsoft Security Bulletin MS03-032
>
>
>
>
>
>
>
>
> >The patch for Drew's object data=funky.hta doesn't work:
>
> This is the exact same issue as
> http://greymagic.com/adv/gm001-ie/, which > explains the
> problem in detail. Microsoft again patches the object element
> in HTML, but it doesn't patch the dynamic version of that
> same element.
>
> >1. Disable Active Scripting
>
> This actually means that no scripting is needed at all in
> order to exploit this amazingly critical vulnerability:
>
> <span datasrc="#oExec" datafld="exploit"
> dataformatas="html"></span> <xml id="oExec">
> <security>
> <exploit>
> <![CDATA[
> <object data=x.asp></object>
> ]]>
> </exploit>
> </security>
> </xml>
>
> Ouch.
>
>
>
>
>
>
>
>
>

[ reply ]
RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Sep 09 2003 08:17PM
Nathan Wallwork (owen pungent org) (1 replies)
RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Sep 09 2003 08:51PM
Drew Copley (dcopley eeye com) (1 replies)
Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Sep 12 2003 08:59PM
Crist J. Clark (cristjc comcast net)


 

Privacy Statement
Copyright 2010, SecurityFocus