Hey folks, Have you see the alerts on the latest IE bug out today ? Folks on the Dshield list have been talking about it and sounds like a nightmare in the making. Here is the initial post: Microsoft Internet Explorer does not properly validate source of CHM components referenced by ITS protocol handlers Overview: Microsoft Internet Explorer (IE) does not adequately validate the source of script contained in compiled help (CHM) file components that are referenced by the Microsoft InfoTech Storage (ITS) protocol handlers. An attacker could exploit this vulnerability to execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. http://www.kb.cert.org/vuls/id/323070 AU-2004.007 -- AusCERT Update - Vulnerability in Internet Explorer Allows Program Execution http://www.auscert.org.au/render.html?it=3990 Internet Explorer showHelp() Restriction Bypass Vulnerability Critical: Highly critical Impact: Security Bypass Where: From remote Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6 http://secunia.com/advisories/10523/ When visited Secunia's web page (at the above address), I received the following virus alert (issued by NAV2004): Source: C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\0LU1UHY7\10523.htm Click for more information about this threat: Bloodhound.Exploit.6 Guess this is just Secunia's way of demonstrating the vulnerability's existence on browsers concerned. Since the virus was detected in browser's cache, access to the infected file was denied and repair failed. After closing the browser a scan of Temporary Internet Files, however show NO threats. NAV2004- Bloodhound.Exploit.6 Bloodhound.Exploit.6 is a heuristic detection for exploits of a Microsoft Internet Explorer vulnerability, which was discovered in February 2004. The vulnerability results from the incorrect handling of HTML files embedded in CHM files. (CHM is the Microsoft-compiled HTML help format.) This vulnerability is known to be used in the wild. http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.explo it.6.html and one of the latter postings: After reading the sites that reported it, it seems like there is really nothing to stop it, because it's using a "feature" of MSIE and MSOutlook. It's supposed to be able to allow sites to pop up help windows that completely mimic the OS's help system so the user doesn't get all confused by different styles of help. As long as web sites are allowed to store help files on the local machine, there is no safety net. Unless they add security that doesn't allow web sites to put files on the local machine in a trusted location. The description said that they didn't even have to store the help file on the local machine, all they had to do is provide a bogus help file name then an alternate help file from a web server somewhere, and when the bogus one failed, the Internet one is followed with local machine privileges executing whatever malicious script is in it. So what do you folks think about this ? Chuck
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.