[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Temporary Fix for IE Zero Day Malware RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From:       "Drew Copley" <dcopley () eeye ! com>
Date:       2003-09-08 18:44:06
[Download RAW message or body]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta

Changing this makes one immune. If you change this to application/htaOLD, then \
someone has to use application/htaOLD on you. I would suggest a very long random \
number/character combination or deletion. As for deletion, the contents are entirely \
standard and may be brought back easily.

Deletion is the safest avenue.

Our Network Admin asked:
"Will that fully disable execution of html apps (with the 
extension .hta)?"

Some network administrators use documents with the .hta extension. Beyond this field, \
I don't think anyone uses it. Regardless, yes, you may still use hta files -- just \
they must be identified by having a proper extension. They may not be identified by \
MIME Type as the bug depends on. 

In the vast majority of instances you will find that even with HTA files being \
transferred over the network, they will not depend or even use the MIME type.

There may be as yet undiscovered variants of this issue which I am unaware of at this \
time. This fix may not protect against these variants. But, this fix does protect \
against this variant, so I suggest people use it.



> -----Original Message-----
> From: http-equiv@excite.com [mailto:1@malware.com] 
> Sent: Saturday, September 06, 2003 4:20 PM
> To: secure@microsoft.com
> Cc: Russ.Cooper@TruSecure.ca; dcopley@eeye.com
> Subject: BAD NEWS: Microsoft Security Bulletin MS03-032
> 
> 
> 
> 
> Bad news.
> 
> Your patch from Drew's object data=funky.hta doesn't work:
> 
http://www.malware.com/badnews.html

<script>
  var oPopup = window.createPopup();

  function showPopup() {
    oPopup.document.body.innerHTML = "<object data=ouch.php>";
    oPopup.show(0,0,1,1,document.body);
  }
  
  showPopup()
</script>

- -- 
http://www.malware.com





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP1zN9QkWkugjEnC3EQJSKgCdEPx/Xjmc3a6ZgCy4UeYIdvlOnGwAoMbX
gmUobjF6xPcoUWiyBdJYjSf2
=vpqP
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic