RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

From: Jelmer (jkuperus_at_planet.nl)
Date: 06/07/04

  • Next message: Larry Seltzer: "RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)"
    To: "'Chris Carlson'" <chris@compucounts.com>
    Date: Mon, 07 Jun 2004 04:17:28 +0200
    
    

    I haven't installed SP2 yet since I heard a lot of complaints from people
    who claimed it caused instability, it had memory management issues, some
    drivers didn't work, security measures a bit too much in your face etc

    But I reviewed the list of changes sometime back and I concur, it looks very
    promising, I think in the near future an IE exploit will be a rare
    occurrence as opposed to a bi weekly event

    -----Original Message-----
    From: Chris Carlson [mailto:chris@compucounts.com]
    Sent: maandag 7 juni 2004 4:06
    To: Jelmer
    Cc: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
    Subject: RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary
    code (An analysis of the 180 Solutions Trojan)

    When run remotely:

    Line: 1
    Char: 1
    Error: Access is denied.
    Code: 0
    URL: http://62.131.86.111/security/idiots/repro/installer.htm

    When run locally, software installation is blocked.

    Using IE 6.0.2900.2096 SP2, WinXP SP2

    I've gotta say that SP2 has some VERY nice protection builtin. On the
    downside, I still havn't figured out how to turn it off ;)

    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Jelmer
    > Sent: Sunday, June 06, 2004 21:22
    > To: bugtraq@securityfocus.com
    > Cc: full-disclosure@lists.netsys.com; peter@diplomatmail.net
    > Subject: [Full-Disclosure] Internet explorer 6 execution of
    > arbitrary code (An analysis of the 180 Solutions Trojan)
    >
    > Just when I though it was save to once more use internet
    > explorer I received an email bringing my attention to this
    > webpage http://216.130.188.219/ei2/installer.htm   that
    > according to him used an exploit that affected fully patched
    > internet explorer 6 browsers. Being rather skeptical I
    > carelessly clicked on the link only to witness how it
    > automatically installed addware on my pc!!!
    >  
    > Now there had been reports about 0day exploits making rounds
    > for quite some time like for instance this post
    >  
    > http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0
    >  
    > However I hadn't seen any evidence to support this up until
    > now Thor Larholm as usual added to the confusion by
    > deliberately spreading disinformation as seen in this post
    >  
    > http://seclists.org/lists/bugtraq/2004/May/0153.html
    >  
    > Attributing it to and I quote "just one of the remaining IE
    > vulnerabilities that are not yet patched"
    >
    > I've attempted to write up an analysis that will show that
    > there are at least 2 new and AFAIK unpublished
    > vulnerabilities (feel free to proof me
    > wrong) out there in the wild, one being fairly sophisticated
    >
    > You can view it at:
    >
    > http://62.131.86.111/analysis.htm
    >
    > Additionally you can view a harmless demonstration of the
    > vulnerabilities at
    >
    > http://62.131.86.111/security/idiots/repro/installer.htm
    >
    > Finally I also attached the source files to this message
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Larry Seltzer: "RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)"

    Relevant Pages

    • RE: ActiveX problem
      ... Properties Software) is: 'Internet Explorer Q912812'. ... On checking Windows Update installation history I can ... My problem now is that I cannot get to Q912812 in order to uninstall ... you're downloading them should create their ActiveX controls in Java 1.5. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Is MS losing it? IE 7 almost as bad as Vista
      ... Microsoft might have patents, patent applications, trademarks, ... Japanese Installation Prerequisite ... Pagebefore you install Internet Explorer 7. ... %windir% is the location of your Windows directory, ...
      (rec.boats)
    • Re: IE7 ActiveX control download problems
      ... It seems you are having problems with Internet Explorer ... Enhanced Security (IEES). ... Logon as an admin account, ... This is a brand new installation, there are no addons as far as I'm ...
      (microsoft.public.windows.terminal_services)
    • RE: IE6 no longer opens web pages.
      ... This is a new installation. ... yes, I cleared tha cache. ... I am running Windows XP Pro Service ... Internet Explorer was unable to link to the Web page you requested. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: HTAs
      ... simply by browsing to its URL or by accessing it from the Internet Explorer ... run offline or when the server goes down. ... the installation process for the HTA is the ...
      (microsoft.public.dotnet.framework.aspnet)