RE: AIM Password theft

From: Andrew McKnight (Andrew.McKnight_at_clg.co.uk)
Date: 09/24/03

  • Next message: Richard Johnson: "Re: Probable new MS DCOM RPC worm for Windows"
    To: "Lothar Kimmeringer" <bugtraq@kimmeringer.de>, <incidents@securityfocus.com>
    Date: Wed, 24 Sep 2003 11:23:04 +0100
    
    

    Is there a specific patch for this vulernability? Windows Update is telling me I'm completely up to date but I'm still vulernable.

    Andy.
    IT Guy.

    -----Original Message-----
    From: Lothar Kimmeringer [mailto:bugtraq@kimmeringer.de]
    Sent: 24 September 2003 00:44
    To: incidents@securityfocus.com
    Subject: Re: AIM Password theft

    On Tue, 23 Sep 2003 10:53:59 -0400, Mark Coleman wrote:

    >I just started investigating a report that appears to have merit of a
    >username/password theft of AIM accounts.
    >
    >Users are being directed to a web page located at www.haxr.org where the
    >source appears to run a javascript program that is proportedly stealing
    >AIM usernames/passwords/buddy lists.
    >
    >Does anyone have any information related to www. haxr.org or the
    >technique being used?

    The technique uses a flaw in Internet Explorer with the OBJECT-tag
    allowing code to be executed locally that is loaded from a website.

    The tag
    <![CDATA[
    <object data=tracker.php></object>
    ]]>
    lets IE download a HTML-application that will be executed after
    loading.

    A testpage where you can test your locally installed Internet
    Explorer for being vulnerable can be found at
    http://www.heise.de/security/dienste/browsercheck/demos/ie/htacheck.shtml
    If your installation is vulnerable, a program will be downloaded
    to C:\browsercheck.exe that will executed afterwards leading to
    a window popping up. The page is in German.

    Regards, Lothar

    -- 
    Lothar Kimmeringer                E-Mail: mailbody@kimmeringer.de
                   PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)
    Always remember: The answer is forty-two, there can only be wrong
                     questions!
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------
    The information in this email is intended solely for the use of the 
    individual or entity to whom it is addressed and may be legally
    privileged.  Access to this email by anyone else is unauthorised
    If you are not the intended recipient, any disclosure, copying,
    distribution or any action taken or omitted to be taken in reliance
    on it is prohibited and may be unlawful.  If you believe you 
    have received this email in error please contact the 
    sender. 
    Any views expressed in this email do not necessarily represent
    those of Castle Leisure Group.
    Castle Leisure Group reserves the right to monitor and record
    e-mail messages sent to and from this address for the purposes
    of investigating or detecting any unauthorised use of its system
    and ensuring its effective operation.
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Richard Johnson: "Re: Probable new MS DCOM RPC worm for Windows"

    Relevant Pages

    • Re: Latest WindowsUpdate patches not installing
      ... Aim for the cat, ... in the windows update newsgroup. ... In the meantime here are some useful links for troubleshooting windows ...
      (microsoft.public.windowsxp.general)
    • Re: The web site has encountered a problem
      ... How to troubleshoot problems connecting to Windows Update or to Microsoft ... The aim of this article is to help you solve this 0x800A138F problem and have ... you updating your Windows XP Professional or Home Edition computer as soon as ... |I was checking my computer for updates cause one of my games does'nt work the ...
      (microsoft.public.windowsupdate)