[Dshield] An unfixed highly critical vulnerability discoveredin Microsoft Internet Explorer
Johannes B. Ullrich
jullrich at sans.org
Thu Apr 8 19:09:25 GMT 2004
> Q #1: Is it possible to create a Trojan web site that would contain
> a link that could infect a system in a manner similar to an email?
If its a web page, it doesn't need a link (I think).
> Q #2: If the AV sigs are up to date, will that stop the worm, or as
> Johannes' email says "Just clicking on the URL sent by the worm will
> get you infected. NO POPUPS! NO WARNINGS!" (Does that mean you will
> get infected even if you have the latest AV sigs?)
I don't think there are 'generic' AV sigs. So you would rely on
the virus arriving after the AV sigs got updated. Given the
recent track record of Bugbear and such, it is likely that
your users will see the virus before they see the new signature.
So far, only Bugbear.C is using this exploit. There are signatures
However, I expect numerous variations to show up shortly. The exploit
is rather simple and easy to copy.
It may be possible to come up with a generic rule that will trigger on
the exploit. But so far, I haven't seen one.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040408/565430ad/attachment.bin
More information about the list