Temporary Fix for IE Zero Day Malware RE: BAD NEWS: Microsoft Security Bulletin MS03-032

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>, <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Temporary Fix for IE Zero Day Malware RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Drew Copley" <dcopley@xxxxxxxx>
Date: Mon, 8 Sep 2003 11:44:06 -0700
Importance: Normal
In-reply-to: <200309062319.h86NJr7b031567@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta

Changing this makes one immune. If you change this to application/htaOLD, then 
someone has to use application/htaOLD on you. I would suggest a very long 
random number/character combination or deletion. As for deletion, the contents 
are entirely standard and may be brought back easily.

Deletion is the safest avenue.

Our Network Admin asked:
"Will that fully disable execution of html apps (with the 
extension .hta)?"

Some network administrators use documents with the .hta extension. Beyond this 
field, I don't think anyone uses it. Regardless, yes, you may still use hta 
files -- just they must be identified by having a proper extension. They may 
not be identified by MIME Type as the bug depends on. 

In the vast majority of instances you will find that even with HTA files being 
transferred over the network, they will not depend or even use the MIME type.

There may be as yet undiscovered variants of this issue which I am unaware of 
at this time. This fix may not protect against these variants. But, this fix 
does protect against this variant, so I suggest people use it.



> -----Original Message-----
> From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx] 
> Sent: Saturday, September 06, 2003 4:20 PM
> To: secure@xxxxxxxxxxxxx
> Cc: Russ.Cooper@xxxxxxxxxxxx; dcopley@xxxxxxxx
> Subject: BAD NEWS: Microsoft Security Bulletin MS03-032
> 
> 
> 
> 
> Bad news.
> 
> Your patch from Drew's object data=funky.hta doesn't work:
> 
http://www.malware.com/badnews.html

<script>
  var oPopup = window.createPopup();

  function showPopup() {
    oPopup.document.body.innerHTML = "<object data=ouch.php>";
    oPopup.show(0,0,1,1,document.body);
  }
  
  showPopup()
</script>

- -- 
http://www.malware.com





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP1zN9QkWkugjEnC3EQJSKgCdEPx/Xjmc3a6ZgCy4UeYIdvlOnGwAoMbX
gmUobjF6xPcoUWiyBdJYjSf2
=vpqP
-----END PGP SIGNATURE-----

Prev by Date: Re: Re[2]: 11 years of inetd default insecurity?
Next by Date: Re: 11 years of inetd default insecurity?
Previous by thread: Rogerwilco: server's buffer overflow
Next by thread: Multiple Heap Overflows in FTP Desktop
Index(es):
- Date
- Thread