Hey folks,

 

Have you see the alerts on the latest IE bug out today ?

 

Folks on the Dshield list have been talking about it and sounds like a
nightmare in the making.

 

Here is the initial post:

 

Microsoft Internet Explorer does not properly validate source of CHM
components referenced by ITS protocol handlers

 

Overview: Microsoft Internet Explorer (IE) does not adequately validate the
source of script contained in compiled help (CHM) file components that are
referenced by the Microsoft InfoTech Storage (ITS) protocol handlers. An
attacker could exploit this vulnerability to execute script in different
security domains. By causing script to be run in the Local Machine Zone, the
attacker could execute arbitrary code with the privileges of the user
running IE.

 

http://www.kb.cert.org/vuls/id/323070

 

 

AU-2004.007 -- AusCERT Update - Vulnerability in Internet Explorer Allows
Program Execution

 

http://www.auscert.org.au/render.html?it=3990

 

 

Internet Explorer showHelp() Restriction Bypass Vulnerability

 

Critical: Highly critical 

Impact: Security Bypass

Where: From remote

Software: Microsoft Internet Explorer 5.01

Microsoft Internet Explorer 5.5

Microsoft Internet Explorer 6

 

http://secunia.com/advisories/10523/

 

 

When visited Secunia's web page (at the above address), I received the
following virus alert (issued by NAV2004):

 

Source: C:\Documents and Settings\username\Local Settings\Temporary Internet
Files\Content.IE5\0LU1UHY7\10523[1].htm 

Click for more information about this threat: Bloodhound.Exploit.6

 

Guess this is just Secunia's way of demonstrating the vulnerability's
existence on browsers concerned.

 

Since the virus was detected in browser's cache, access to the infected file
was denied and repair failed. After closing the browser a scan of Temporary
Internet Files, however show NO threats.

 

 

NAV2004-

 

Bloodhound.Exploit.6

 

Bloodhound.Exploit.6 is a heuristic detection for exploits of a Microsoft
Internet Explorer vulnerability, which was discovered in February 2004. 

 

The vulnerability results from the incorrect handling of HTML files embedded
in CHM files. (CHM is the Microsoft-compiled HTML help format.)

 

This vulnerability is known to be used in the wild.

 

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.explo

it.6.html

 

and one of the latter postings:

 

After reading the sites that reported it, it seems like there is really 

nothing to stop it, because it's using a "feature" of MSIE and 

MSOutlook.  It's supposed to be able to allow sites to pop up help 

windows that completely mimic the OS's help system so the user doesn't 

get all confused by different styles of help.  As long as web sites are 

allowed to store help files on the local machine, there is no safety 

net.  Unless they add security that doesn't allow web sites to put files 

on the local machine in a trusted location.  The description said that 

they didn't even have to store the help file on the local machine, all 

they had to do is provide a bogus help file name then an alternate help 

file from a web server somewhere, and when the bogus one failed, the 

Internet one is followed with local machine privileges executing 

whatever malicious script is in it.

 

So what do you folks think about this ?

 

Chuck

 


This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].