W32/BadTrans.B-mm [Was: File extensions spoofable in MSIE download dialog]

["http-equiv () excite com" <http-equiv () excite com>]

"Jouko Pynnonen" <jouko () solutions fi> wrote in message > 

 
> The flaw has been successfully exploited with Internet Explorer 5.5 and
> 6. An IE5 with the latest updates shows the spoofed file name and
> extension without a sign of EXE, and issue no Security Warning dialog
> after the file download dialog.

 
> VENDOR STATUS
>
> Microsoft was contacted on November 19th. The company doesn't currently
> consider this is a vulnerability; they say that the trust decision should
> be based on the file source and not type. The origin of the file, ie. the
> web server's hostname can't be spoofed with this flaw. It's not known
> whether a patch is going to be produced. Microsoft is currently
> investigating the issue.

This is interesting, but not surprising. Couple hours ago, we received two
copies of the new: W32/BadTrans.B-mm and taking a closer look we found the
following:

1. A lot of noise is being made about how the vulnerability that this uses
is old, and that many patches, service packs, warnings, other i-worms
utilising the vulnerability have come and gone, yet there is wide-scale
spreading of this variant today.

2. The two copies we received were from Outlook Express 6.00 mail clients.
How can that be? They are not vulnerable to the so-called: audio/x-wav MIME
IFRAME Outlook Express vulnerability.

3. What we found was precisely as you describe above, as what was discussed
and demonstrated over 12 months ago, and as recent as 3 months ago:
http://www.securityfocus.com/bid/3271, and as the vendor continuously claims
as above.

4. In the case of Outlook Express 6 [and probably the others, even the
patched others], the W32/BadTrans.B-mm uses *.scr or *.pif files
[S3MSONG.DOC.scr]

5. We found that a *.scr file incorporated in an IFRAME, does in fact
execute after only the single 'open it' or 'save it' attachment warning.
There is no second 'SECURITY WARNING', simply accepting the generic
attachment warning dialogue runs the *.scr without any other warning. *.exe
won't run.

Working Example [harmless "windows flower pot" screen saver]:

http://www.malware.com/badtranceman.zip

This is simple not acceptable. Guaranteed there are generic folk out there
who know nothing, and will open that attachment warning out of curiosity, be
it that their mail client Outlook Express 5.00 patched, 5.5 patched, 6.00
patched. The current proliferation can surely be based on that [as well].

The warning dialogue is just not good enough for executable file
attachments. A clear safety warning must follow the single, simple 'open it'
or 'save it' flimsy attachment warning. It is grossly unfair to the
clientele this vendor caters to and contributes to the destruction of the
internet infrastructure as a whole adding to making it unsafe for everyone. 

Please don't sell the nice little children shiny bright toys with toxic
parts that fall off that they can swallow and then claim they ought to know
better and not put it in their mouths.

references:

http://www.malware.com/carolclickme.html
http://www.malware.com/yoko.html
 

side irritational note: there is nothing more pleasurable than scratching
out 3/4 of this communication, then having the Windows operating system
freeze on you, hard reboot and start all over again.

side technical AV note: the W32/BadTrans.B-mm copies received are not
actually being sent through/by the mail client. They're in X-Unsent: 1 state
which means Message Composition State in Outlook Express, no doubt it's
clear to the AV experts it's using it's own SMTP engine but the headers and
boundary lines aren't of OE vintage, also each copy arrived with a zero byte
*.txt file attachment as well as the payload. It all appears to be a
peculiar construction.

simple solution: SWITCH OF HTML IN THE EMAIL CLIENT !


---
http://www.malware.com





______________________________________________________________________________
Send a friend your Buddy Card and stay in contact always with Excite Messenger
http://messenger.excite.com