[Dshield] Internet Explorer Advisory / apology

Brian McWilliams bmcw at attbi.com
Sun Mar 3 02:47:18 GMT 2002


Johannes,

Glad to see some attention being given in recent days to that Pop-Up attack.

That URL  ( http://www.liquidwd.freeserve.co.uk/ ) is actually an 
independent demo of one of the exploits published in January by a 
researcher named ThePull:

http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html

Fortunately, ThePull and GreyMagic Software, which just put out a perhaps 
more technically accurate assessment of the flaw, have not found a way to 
pass parameters to the pop-up application. So, you can get a command prompt 
but you can't feed it commands, etc.

GreyMagic's advisory is here:

http://security.greymagic.com/adv/gm001-ie/

Thor Larholm has noted that this flaw may actually have been discovered 
back in Nov 2000 by Georgi Guninski:

http://www.guninski.com/parsedat-desc.html

For some reason, Microsoft still hasn't addressed the vulnerability:

http://www.newsbytes.com/news/02/174723.html

Brian


At 07:19 PM 3/2/2002, jullrich at sans.org wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>   Internet Explorer has a number of severe issues, that have not
>been addressed by Microsoft so far. Recently, a user posted the
>URL provided below to show what can be done with these holes.
>
>   Posting exploit code like this is of course always a difficult
>issue. In my opinion, if an exploit exist, its ownership and use
>by a small group of crackers is often more damaging than making
>the community at large aware of it (and allowing them to take
>the necessary counter measures).
>
>   Anyway. I regretfully rejected the post, partially because the
>URL for the exploit was not marked as an 'exploit'. So the post
>got rejected... and I never took note who submitted it, so I cant
>really give credit here.
>
>   The URL below will launch a 'command shell' on Windows XP and 2000. It
>works on my Windows XP Pro test system, which is fully patched according
>to Windows Update.
>
>   You may not want to launch this URL from a "trusted/secure" system.
>While I do not believe it does anything malicious, it could be changed by
>now.
>
>   Here it goes (inserted a space to prevent people from clicking without
>thinking): http://www.liguidwd. freeserve.co.uk
>
>   Internet Explorer vulnerabilities are in particular a big problem with
>plenty of exploited MS IIS servers still on the net and exploits for
>php/Apache about to be launched.
>
>   The particular exploit will require Javascript to run. In my opinion,
>if you have to use MSIE, disable javascript/active scripting to avoid
>running into this issue. The next URL using this code may do more than
>just launch a shell.
>
>   Also, the effected systems (Win2k, XP) have the ability to setup
>different user accounts with different privileges. Too many users still
>use accounts with 'Administrator' privilege for everyday use /  web
>browsing.
>
>   Please sound the necessary alarms if you hit a URL that exploits any of
>these issues.
>
>- --
>- -------
>jullrich at euclidian.com               Join http://www.DShield.org
>                           Distributed Intrusion Detection System
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE8gWwOwWQP+4im9DYRAoZSAJ9/VPJ1JlWhl0yM4sGpBxZSx2wbQQCeO82M
>b/sTnqf5DWQrq/nfCOXj9Q0=
>=uPj1
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/list




More information about the list mailing list