Temporary Fix for IE Zero Day Malware RE: BAD NEWS: Microsoft Security Bulletin MS03-032

From: Drew Copley (dcopley_at_EEYE.COM)
Date: 09/08/03

  • Next message: Mark Deason: "Folly of Patching - Revisited"
    Date:         Mon, 8 Sep 2003 11:44:06 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta

    Changing this makes one immune. If you change this to application/htaOLD, then someone has to use application/htaOLD on you. I would suggest a very long random number/character combination or deletion. As for deletion, the contents are entirely standard and may be brought back easily.

    Deletion is the safest avenue.

    Our Network Admin asked:
    "Will that fully disable execution of html apps (with the
    extension .hta)?"

    Some network administrators use documents with the .hta extension. Beyond this field, I don't think anyone uses it. Regardless, yes, you may still use hta files -- just they must be identified by having a proper extension. They may not be identified by MIME Type as the bug depends on.

    In the vast majority of instances you will find that even with HTA files being transferred over the network, they will not depend or even use the MIME type.

    There may be as yet undiscovered variants of this issue which I am unaware of at this time. This fix may not protect against these variants. But, this fix does protect against this variant, so I suggest people use it.

    > -----Original Message-----
    > From: http-equiv@excite.com [mailto:1@malware.com]
    > Sent: Saturday, September 06, 2003 4:20 PM
    > To: secure@microsoft.com
    > Cc: Russ.Cooper@TruSecure.ca; dcopley@eeye.com
    > Subject: BAD NEWS: Microsoft Security Bulletin MS03-032
    >
    >
    >
    >
    > Bad news.
    >
    > Your patch from Drew's object data=funky.hta doesn't work:
    >
    http://www.malware.com/badnews.html

    <script>
      var oPopup = window.createPopup();

      function showPopup() {
        oPopup.document.body.innerHTML = "<object data=ouch.php>";
        oPopup.show(0,0,1,1,document.body);
      }
      
      showPopup()
    </script>

    - --
    http://www.malware.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBP1zN9QkWkugjEnC3EQJSKgCdEPx/Xjmc3a6ZgCy4UeYIdvlOnGwAoMbX
    gmUobjF6xPcoUWiyBdJYjSf2
    =vpqP
    -----END PGP SIGNATURE-----

    ----
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    ----
    

  • Next message: Mark Deason: "Folly of Patching - Revisited"

    Relevant Pages

    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • Windows 2000 server issue
      ... accurately parse the lists of vulnerable machines produced by the scan ... of addresses directly on the script. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification ...
      (NT-Bugtraq)
    • Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !
      ... The default Enhanced Security Configuration of IE ... access to files and folders on the local machine from the internet. ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ... And now, for a limited time, you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Microsoft Numbering System
      ... the patch for each systems affected. ... in the right frame. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: SP4 Problems
      ... Rebooted numerous times, all ... Rebooting to safe mode produced an extremely slow logon, ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)