Full Disclosure mailing list archives
RE: Spyware installs with no interaction in IE on fully patched XP SP2 box
From: "Castigliola, Angelo" <ACastigliola () unumprovident com>
Date: Tue, 5 Oct 2004 10:50:02 -0400
I am sure there is a configuration setting or software (perhaps the software made the configuration change) that is preventing this from installing on your computer. I tested with a default XP SP1 install with all the Microsoft Updates that have been applied to stop this type of IE hack. The spyware still installs itself on the machine. XP SP1 with the following patches: http://support.microsoft.com/default.aspx?scid=kb;en-us;814078 http://support.microsoft.com/default.aspx?scid=kb;en-us;816093 http://support.microsoft.com/default.aspx?scid=kb;en-us;823182 http://support.microsoft.com/default.aspx?scid=kb;en-us;825119 http://support.microsoft.com/default.aspx?scid=kb;en-us;832894 http://support.microsoft.com/default.aspx?scid=kb;en-us;835732 http://support.microsoft.com/default.aspx?scid=kb;en-us;840374 http://support.microsoft.com/default.aspx?scid=kb;en-us;840315 http://support.microsoft.com/default.aspx?scid=kb;en-us;839645 http://support.microsoft.com/default.aspx?scid=kb;en-us;867801 These are _ALL_ the Microsoft Updates that specifically patch up IE holes. My question to the forum is: If this is not a 0-day IE exploit that allows software to install on a computer with no user interaction then what Microsoft Update applies to this exploit? Again I fear there is no Microsoft Update available that will fix this hole. Can someone confirm that a Default install of XP SP2 with all patches will not stop spyware from themexp.org from installing? Angelo Castigliola III Operations Technical Analyst I UnumProvident IT Services 207.575.3820 -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Alla Bezroutchko Sent: Tuesday, October 05, 2004 7:01 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box Carr, Robert wrote:
Interesting... I just went there, and he's right. Atpartners.cab installed without permission. My McAfee picked it right up as Atpartners.dll, downloaded
to Temp Internet files. Spyware detected as NetPals. On the other hand, I'm admin of my machine, I wonder if a "user" would get an error
message about not having the correct rights...
I have tested it on Windows XP SP2 and on fully patched Windows 2000. In both cases _nothing_ gets run or installed. Both systems are more or less standard installations without any special IE hardening (except patches). When I surf to the site with Windows XP "Installing components... ATpartners.cab" briefly appears in the status bar and then the site gets displayed. Under the normal browser bars there is a message saying "The site might require the following ActiveX control: FREE on-line games and special offers from... Click here to install...". I don't click on it. Searching the disk for atpartnets.cab or atpartners.dll finds nothing. The CLSID of the ActiveX control only appears in the registry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\" . With Windows 2000 I also get "Installing components... ATpartners.cab" in the status bar and then the dialog box asking if I want to install "Free online games from ATgames.com". This is a usual dialog box you get when a page attempts to install an ActiveX control. If I click "No", nothing gets installed, no atpartners files on the file system, no traces of the CLSID in the registry. I suppose the cab file gets downloaded so that Windows can read and display the signature of the file. It does not get run or installed unless explicitly permitted by user. So, as far as I can see this is no 0-day. Alla. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box, (continued)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Alla Bezroutchko (Oct 05)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Todd Towles (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Todd Towles (Oct 04)
- Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Willem Koenings (Oct 04)
- RE: Re: Spyware installs with no interaction in IE on fully patched XP SP2 box Todd Towles (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Gossi The Dog (Oct 04)
- RE: Spyware installs with no interaction in IE on fully patched XP SP2 box Castigliola, Angelo (Oct 05)