Re: Spyware/Virus

From: Kent W. England [MVP] (kwe_at_mvps.org)
Date: 09/14/04

Next message: suny: "memory is full"

Previous message: ceratusdominus_at_hotmail.com: "Re: worm/agobot.14/ae"
In reply to: MAP: "Re: Spyware/Virus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 13 Sep 2004 22:17:58 -0700

MAP wrote on 12-Sep-2004 10:53 PM:

> Hi Kent,What is the drag&drop vulnerability?

The Drag&Drop vulnerability is also known as the Shell Handler
vulnerability and is a variant of Liu Die Yu's HijackClick
vulnerability/exploit(s). It is another one of those sneaky ways to
trick IE into executing code that is in the Local Zone (on the hard
disk) bypassing security checks that should apply to Internet Zone
content. SP2 fixed about a dozen of these exploits, but this one wasn't
fixed.

This vulnerability affects SP2, currently to my knowledge the only known
IE SP2 vulnerability that is exploited in the wild by such as the Akak
trojan. (There is an image file that will crash IE and Firefox in a DOS
vulnerability. Called "Bipin's Surprise" or something similar.)

See http://secunia.com/advisories/12321/ for more information on the
Drag&Drop vulnerability. Ignore the other vulnerabilities listed for
IE6, since most/all of them are patched in SP2.

Mitigation techniques include disabling the Shell Handler using registry
key changes (eg, provided by Pivx), disabling the new SP2 "binary
behaviors" setting or, the simplest it seems to me, setting Internet
zone security to "High" and using the IE5 Power Tweaks to put a new "Add
site to Trusted Zone" menu item in your tools menu to easily stuff a web
site into the trusted zone to allow active scripting. Setting your
Internet Zone to High is an excellent preventative to avoid any number
of unknown vulnerabilities related to executable web content.

You can also simply disable active scripting in your current Internet
zone settings to protect yourself from this exploit. Pivx Quik-Fix and
Prevx Home tools also protect against this exploit. MS has released no
patch to fix this, although if they did, it would be similar to the
adodb.stream patch, relatively simple, but prone to breaking stuff.

-- 
Kent W. England, Microsoft MVP for Windows Security

Next message: suny: "memory is full"

Previous message: ceratusdominus_at_hotmail.com: "Re: worm/agobot.14/ae"
In reply to: MAP: "Re: Spyware/Virus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Dotless IP Addresses Can Cause IE to Move into Intranet Zone
... Dotless IP Addresses Can Cause IE to Move into Intranet Zone ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The third is a new variant of a vulnerability discussed in Microsoft ...
(Securiteam)
Re: Serious vulnerabilities (security hole) in IE6
... the original vulnerability in the Trusted Sites zone as well as the Internet ... assuming people have predictable domains in their "Trusted Sites" ...
(microsoft.public.windows.inetexplorer.ie6.browser)
10 Month Old Vulnerability Continues to Be Core For Exploits
... Microsoft needs to decide whether THAT is in fact a ... vulnerability or a feature because without it ... For those not up on these cross zone scenarios... ... internet or restricted zone to the local zone. ...
(Bugtraq)
Re: U.S. Steers Consumers Away From IE
... > in your IE Internet security zone, ... of the vulnerability: http://www.kb.cert.org/vuls/id/326412 ... Disabling scripting in IE will render many websites useless or cripple them ...
(comp.lang.php)
Re: [Full-Disclosure] YEY AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP
... YEY AGAIN Automatic remote compromise of ... InternetExplorer Service Pack 2 XP SP2 ... > Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise ... > vulnerability in itself, but rather it is uses multiple known holes in SP2 ...
(Full-Disclosure)