March 16th, 2002, 05:27 AM
New MSIE Vulnerability - Remote Access
A Microsoft Internet Explorer vulnerability was found by GreyMagic
(http://security.greymagic.com/adv/gm001-ie/). With IncrediMail, it's
possible to gain a remote access on a computer.
Incredimail save automatically email attachements in this directory
(on Windows 2000 Professionnal) :
So if you send an html email with the GreyMagic vulnerability and a
trojan in attachments, it will be save in this directory.
The html mail contains this code :
So, the trojan is executed automatically.
March 16th, 2002, 05:43 AM
Tested on: IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.
There is no configuration-tweaking workaround for this bug, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.
Update - 3 Mar 2002
Since the injected <object> runs in the "My Computer" Zone changing the Internet Zone's settings didn't affect it, but changing the correct zone's settings will prevent this exploit from running.
Here is the registry information:
Change the value of "1004" (DWORD) to 0x3.
IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.
IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.
IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.
Taken from here.
March 20th, 2002, 05:39 PM
A more mean code then the above example.. Once you visit the homepage your computer will loggof the current user.. Norton AV did find and identify the above but did not succed to detect and stop this piece of code .
Source and example of the code can be found here --> http://www.****.org/~max/xp_rules.jpg (beware visiting this webpage can logg you out of the computer).
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
var programName=new Array(
html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+programName[n]+"' %1='r'></OBJECT>";
oPopup.show(290, 390, 200, 200, document.body);
You should feel lucky if you dont have XP right now.
March 20th, 2002, 05:55 PM
I ran the GreyMagic test on the following:
IE6.0, Win98, all patches, Scriptblocking enabled
IE5.5, sp/2, Win98se, Spriptblocking enabled
IE5.5, sp/1, Win98, Scriptblocking enabled
The code attempted to run in each case but NAV 7.0 (2001) stopped the exploit each time.
BTW, Norton Personal Firewall did *nothing*.
March 20th, 2002, 06:00 PM
Kinda goes to show, you really shouldn't integrate a browser with the Operating System so closely. Modularity is security, in this case--visiting a page with any of the above code will not harm Netscape, for instance, because it is not integrated with the operating system.
Of course, none of the above exploits had any effect on Opera 5, for RedHat 7.1 ;-)
This user powered by Linux.
March 20th, 2002, 08:39 PM
"Of course, none of the above exploits had any effect on Opera 5, for RedHat 7.1 ;-)"
Neither of the above exploits had any effect on OffByOne ver.3.2G, Win98. :-)