[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Temporary Fix for IE Zero Day Malware RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Drew Copley" <dcopley () eeye ! com>
Date: 2003-09-08 18:44:06
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta
Changing this makes one immune. If you change this to application/htaOLD, then \
someone has to use application/htaOLD on you. I would suggest a very long random \
number/character combination or deletion. As for deletion, the contents are entirely \
standard and may be brought back easily.
Deletion is the safest avenue.
Our Network Admin asked:
"Will that fully disable execution of html apps (with the
extension .hta)?"
Some network administrators use documents with the .hta extension. Beyond this field, \
I don't think anyone uses it. Regardless, yes, you may still use hta files -- just \
they must be identified by having a proper extension. They may not be identified by \
MIME Type as the bug depends on.
In the vast majority of instances you will find that even with HTA files being \
transferred over the network, they will not depend or even use the MIME type.
There may be as yet undiscovered variants of this issue which I am unaware of at this \
time. This fix may not protect against these variants. But, this fix does protect \
against this variant, so I suggest people use it.
> -----Original Message-----
> From: http-equiv@excite.com [mailto:1@malware.com]
> Sent: Saturday, September 06, 2003 4:20 PM
> To: secure@microsoft.com
> Cc: Russ.Cooper@TruSecure.ca; dcopley@eeye.com
> Subject: BAD NEWS: Microsoft Security Bulletin MS03-032
>
>
>
>
> Bad news.
>
> Your patch from Drew's object data=funky.hta doesn't work:
>
http://www.malware.com/badnews.html
<script>
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object data=ouch.php>";
oPopup.show(0,0,1,1,document.body);
}
showPopup()
</script>
- --
http://www.malware.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP1zN9QkWkugjEnC3EQJSKgCdEPx/Xjmc3a6ZgCy4UeYIdvlOnGwAoMbX
gmUobjF6xPcoUWiyBdJYjSf2
=vpqP
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic