Re: Bug Triad Whacks Microsoft Browser

From: Jim Byrd (jrbyrd@spamlessattbi.com)
Date: 09/04/02 

From: "Jim Byrd" <jrbyrd@spamlessattbi.com>
Date: Wed, 4 Sep 2002 14:53:56 -0700

FWIW, McAfee using sdat4221 with the 4.1.60 engine caught the "demo" on download to the WMP before execution. Regards, Jim Byrd

 
 In news:e72401c25454$7abd5650$9ae62ecf@tkmsftngxa02, Melvyn typed:
> Someone just sent me this. Is it serious??
>
> Bug Triad Whacks Microsoft Browser
>
> Researchers discover that three "low risk" bugs can
> combine to send a Windows system up in flames.
> By Brian McWilliams, Sep 4 2002 9:25AM
>
> To prove that no security bug is truly harmless, a
> security group has stitched together two minor flaws in
> Microsoft's Internet Explorer 6.0 browser with a small
> glitch in Windows Media Player to create one seriously
> powerful attack.
>
> By coaxing IE users to view a Web page containing the
> special code, an attacker can silently force Windows 98,
> Windows 2000, or Windows XP users to run a malicious
> program of the attacker's choice.
>
> The security group, Malware.com, has created a harmless
> demonstration (http://www.malware.com/stench.html)of the
> flaw which downloads and runs an executable program that
> fills the victim's computer screen with flames.
>
> A Malware.com member who uses the nickname "Http-equiv"
> says he named the vulnerability "Stench" to dramatize why
> it's dangerous for Microsoft to downplay and delay
> patching security bugs that it considers minor.
>
> "Their patching tiny pinprick holes and not the overall
> problems, their mitigating factors, their ignoring small
> demonstrated flaws, all add up into a monster problem,
> which basically stinks," said Http-equiv in an e-mail
> interview Tuesday.
>
> Internet Explorer currently contains at least 18 security
> bugs, many of them low-risk annoyances. Because it allows
> an attacker to run code on a victim's machine, Stench is
> the most serious security issue currently facing IE,
> according to Thor Larholm, a researcher with Pivx
> Solutions who tracks IE vulnerabilities.
>
> Larholm said the information provided in the Malware.com
> advisory could easily be used to create a harmful exploit.
>
> "Follow the steps and you're done. I could let my 12-year-
> old cousin do this," said Larholm, who added that because
> all three bugs have been known to Microsoft for many
> months, Malware.com's release of the information was "by
> the book" and does not constitute what Microsoft
> calls "irresponsible disclosure."
>
> A Microsoft representative said the company was currently
> studying the report and would take appropriate action.
>
> Company Patchwork Faulted
> According to Http-equiv, the exploit depends in part on a
> known quirk in how Microsoft's media player handles self-
> extracting Windows Media Download (WMD) files.
>
> "If we can place our 'goodies' inside the .wmd file and
> have the player unpack it, we now have arbitrary code on
> the target computer," said Http-equiv.
>
>
> Using a year-old IE bug known as the "codebase local path"
> vulnerability -- a bug that was only partially fixed by
> Microsoft last March -- the Stench exploit is able to
> unpack and execute the malicious code without triggering
> IE's security settings, he said.
>
> According to Larholm, a major update to Internet Explorer
> known as IE6 Service Pack One could include fixes for
> numerous bugs, including those exploited by Stench.
> Microsoft quietly released SP1 to its download servers in
> late August but removed the upgrade shortly afterwards
> without explanation.
>
> On August 22, Microsoft issued a cumulative patch for IE
> that addressed several severe bugs did not include
> complete fixes for the codebase localpath and numerous
> other vulnerabilities, Larholm said.
>
> Malware.com's Stench advisory, posted to security mailing
> lists on August 21, concluded with the following
> statement: "Instead of sitting around trying to thinking
> up ways that all these things cannot work, simply fix it
> the first time round. There is no such thing
> as 'mitigating factors' and 'hurdles'. This is a lie. Pure
> fantasy. Fiction. Fix it when you can! For every way you
> think it cannot be done, there are 10 ways it actually
> can!"

Relevant Pages