RE: BAD NEWS: Microsoft Security Bulletin MS03-032

["Drew Copley" <dcopley () eeye com>]

Some AV will catch these because of malware's exploit code which he has
reused. Some AV will catch this because of greymagic's exploit code. Which
is all fine and good, a bit like a magic trick. Yes, the demonstration
exploit is caught... But the worm or trojan exploit someone maliciously
sends to your system -- this won't be caught. 

The only sure way to detect this, I already wrote about [to Bugtraq]. That
is by setting a firewall rule which blocks the dangerous mimetype string
[Content-Type: application/hta]. Everything else in the exploit can change. 

But, why merely detect it and risk encoded and other types of AV/IDS/IPS
evading techniques? Why not just do this fix? I think, ultimately, it
depends on how safe you want to be. Some people do not mind having their
systems be at risk. That is their choice. 



> -----Original Message-----
> From: ADBecker () chmortgage com [mailto:ADBecker () chmortgage com] 
> Sent: Monday, September 08, 2003 12:17 PM
> To: GreyMagic Software
> Cc: Bugtraq; full-disclosure () lists netsys com; 
> http-equiv () excite com; NTBugtraq; Microsoft Security Response 
> Center; vulnwatch () vulnwatch org
> Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
>
>
>
>
>
>
>
> Updated antivirus software should catch this exploit and 
> prevent any application from being launched. We have McAfee 
> VirusScan 7 Ent. which caught both exploit examples at 
> http://greymagic.com/adv/gm001-ie/
>
> Andrew Becker
> C.H. Mortgage, D.R. Horton
> Phoenix IT/MIS Department
> Phone: (866) 639-7305
> Fax: (480) 607-5383
>
>
>                                                               
>                                                               
>            
>                       "GreyMagic                              
>                                                               
>            
>                       Software"                To:       
> "NTBugtraq" <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>, "Bugtraq"     
>                 
>                       <security@greymag         
> <bugtraq () securityfocus com>, 
> <full-disclosure () lists netsys com>,                       
>                       ic.com>                   
> <vulnwatch () vulnwatch org>                                     
>                          
>                                                cc:       
> <http-equiv () excite com>, "Microsoft Security Response Center" 
>                 
>                       09/08/03 07:52 AM         
> <secure () microsoft com>, (bcc: Andrew D Becker/Continental 
> Homes)                       
>                                                Subject:  RE: 
> BAD NEWS: Microsoft Security Bulletin MS03-032                
>             
>                                                               
>                                                               
>            
>
>
>
>
> > The patch for Drew's object data=funky.hta doesn't work:
>
> This is the exact same issue as 
> http://greymagic.com/adv/gm001-ie/, which > explains the 
> problem in detail. Microsoft again patches the object element 
> in HTML, but it doesn't patch the dynamic version of that 
> same element.
>
> > 1. Disable Active Scripting
>
> This actually means that no scripting is needed at all in 
> order to exploit this amazingly critical vulnerability:
>
> <span datasrc="#oExec" datafld="exploit" 
> dataformatas="html"></span> <xml id="oExec">
>     <security>
>         <exploit>
>             <![CDATA[
>             <object data=x.asp></object>
>             ]]>
>         </exploit>
>     </security>
> </xml>
>
> Ouch.