Results 1 to 8 of 8

Thread: IE Arbitraty Code Exploit proven harmful

  1. #1
    Senior Member
    Join Date
    Jan 2002

    Exclamation IE Arbitrary Code Exploit proven harmful

    In February, security group GreyMagic Software posted a new advisory
    <> correcting some
    details in thePull's original post. They also detailed a new method
    of exploiting this vulnerability without using ActiveScripting or
    ActiveX. In other words, hackers can exploit this flaw with simple
    HTML code. This greatly increased the scope of the vulnerability,
    because disabling ActiveScripting and ActiveX no longer prevented
    the attack. GreyMagic found that IE 5.5 was susceptible as well.
    However, since the hacker could still start an application but not
    use it, the vulnerability was considered more an irritation than a
    damaging attack.

    Yesterday, this vulnerability was proven harmful in an article
    <>from Newsbytes. The
    article mentions two unusual applications that ship with Windows XP.
    Logoff.exe installs by default in XP and, when activated, forces the
    current user to log off the system. Shutdown.exe does not install by
    default but is shipped with XP; when activated, it forces your
    machine to shut down. When either of these applications execute, you
    lose any unsaved data. These programs are also in the Windows NT and
    2000 Resource Kit. Thus, NT and 2000 administrators who have
    installed these from the Resource Kit and use IE are also affected.

    Now that the exploit code for this vulnerability and the connection
    with shutdown.exe has been aired publicly, this attack is readily
    feasible for any script kiddie. A hacker could create a Web page
    that specifically targets the Logoff.exe application present in
    Window XP by default. If you were enticed to visit the site, your
    machine would automatically shut down. The attacker could achieve
    the same results if you use Outlook or Outlook Express to open a
    specially-crafted HTML e-mail he sent you.

    Note that the vulnerability consists of someone being able to
    remotely execute any program that resides on your machine.
    Logoff.exe and shutdown.exe are the only known exploits thus far
    (who cares if a hacker manages to remotely trigger Minesweeper on
    your PCs?), but it would be typical of the hacker community to
    figure out other damaging exploits in the future.


    Microsoft has not yet officially responded to this vulnerability,
    and there is no patch or workaround available yet. However, without
    logoff.exe and shutdown.exe, the only known exploits become
    unworkable. You could remove or rename these applications on your XP
    machines to help avoid a damaging attack from this vulnerability.
    Keep in mind, doing that would also break any legitimate script or
    program that used those applications. We recommend that you verify
    these applications are not installed on your NT or 2000 machines,

    Many antiviral vendors, like McAfee and Symantec, have updated their
    products to detect this attack and notify you; however, they do not
    prevent it.
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Join Date
    Oct 2001
    Good post xigar.... I use IE with Win2k, but no resource pack So im safe... For now

  3. #3
    good post man. I wonder how long it is going to take m$ to post a fix. Probibly about as much time as it will take to find a nother expoit.
    Computers make sense people

  4. #4
    Senior Member
    Join Date
    Jan 2002
    one thing which hasn't been mentioned in the threads about this exploid ( )...
    is that this would be much more difficult if not impossible to use if people would follow the following simple rule...

    never install a windows system, especially nt, 2k or xp to the default winnt directory...if you install it to c:\BobsYerOperatingSystem or c:\noodles, this kind of exploiD, and many others don't work, since they rely on knowing what directory, specifically c:\winnt, your os files are sitting it anything else and your pretty much safe from this kind of thing...

    unfortunately, most of the machines i deal with have 2k preinstalled by dell i'm stuck..

    i've used a prog called COA to move progs with registry entries to different drives...and it works very nicely...but there's no way to move the os directory that i know of...anyone know different???
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  5. #5
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Seattle, WA
    This is the reason I'm using Opera and Eudora, even though they are both ad-ware. I just like how the companies approached the problem too, they're very... frank, about that they need the ads to pay for their programming, and they don't get all secretive when you ask what personal information is collected, etc...

    I do not trust Microsoft much.
    [HvC]Terr: L33T Technical Proficiency

  6. #6
    Senior Member
    Join Date
    Nov 2001
    **previous posting censored on the ground of stupidity and alcohol**

    My apologies zigar, just read the first lines..
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

  7. #7
    Senior Member
    Join Date
    Jan 2002
    ummm..pooh bear...i appreciate the lecture on posting ettiquette...but if you'd read the post...this is NEW...

    Yesterday, (that would be wednesday March13, 2002) this vulnerability was proven harmful...
    the original thread...was followed by THIS which proved that the exploit could be run even without activex....

    the previous 2 threads were proof of concept...this thread..proves that you can potentially harm someones system with the exploit...

    which is what i titled it...and why i started a new thread...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  8. #8
    Senior Member
    Join Date
    Jan 2002
    This is the reason I'm using Opera and Eudora,

    A note to all Eudora users who, like myself, thought they were not at risk...the default configuration of eudora uses IE as the html rendering engine...and as such, eudora IS vulnerable to this exploit...

    however, you can go to tools/options/viewing mail and uncheck Use Microsoft Viewer...this will force eudora to use it's built in renderer and may prevent this exploit...i haven't tested it tho...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts