| View previous topic :: View next topic |
| Author |
Message |
iceblue
Warrior Guru
Joined: 18 Jan 2004
Last Visit: 11 Apr 2006
Posts: 392
Location: Sydney
|
 Posted: Fri Apr 09, 2004 8:11 am Post subject: Chm Exploit - looks bad. |
 |
|
Chm Exploit
This is about a new infection that exploits a vulnerability in IE.
| Quote: |
Right now there is no patch and it is in the wild.
Secondly, this is a web based threat...you get infected by just going to a website running the exploit...no need to download anything.
__________________
mjc |
http://www.securityfocus.com/archive/1/354447
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rough Summary of solutions as it stands………..
The best defence would seem to be: to not use IE,
or at least to only use it when visiting 'safe' sites . (Paul Komski)
NOTE: Using an alternate web browser may not mitigate this vulnerability. It may be possible for a web browser other than IE on a Windows system to invoke IE to handle ITS protocol URLs.
* Religiously empty the Temporary Internet files (TIF)
* Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels, at all, not even to check.
In the meantime;
*disable "Launching programs and files in iframes" in the internet options of IE,
or at least set to prompt for the time being in any case.
*Have activeX disabled,
*and seriously consider (see below)
having javascript disabled.
*Maintain updated anti-virus software
* Don't visit any uneccessary sites.
http://www.us-cert.gov/cas/techalerts/TA04-099A.html
| Quote: |
Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk}
Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.
Follow good Internet security practices
These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.
· Disable Active scripting and ActiveX controls
NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes. |
| Quote: |
| NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability |
This appears contradictory, but it looks to say it won’t stop the vulnerability, but disabling Active scripting and ActiveX controls will prevent the malware download as the OS is fooled by the embedded CLSID reference.
Note: The malware uses a malformed CLSID which enables the exploit through IE,
but it is not a true CLSID so Spywareblaster won’t pick it up as malware.
As always - happy to be better informed.
Updates when available.
hth
Ice
_________________
 Travel safely ! |
|
| Back to top |
|
 |
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 22 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Fri Apr 09, 2004 7:39 pm Post subject: |
|
|
Thanks for the info! I disabled active scripting - now the smilies won't work.  <---- That one I typed in myself.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
| Posted: Fri Apr 09, 2004 9:28 pm Post subject: |
|
|
i had it disabled for a long while now they only work in mozilla and fire bird. and when i come in useing linux. but i don,t have spell checking when useing those. and not every one like my unhelped spelling 
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
Nick
Site Admin
Joined: 27 Feb 2004
Last Visit: 28 Aug 2012
Posts: 3913
Location: California
|
|
| Back to top |
|
|
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
|
| Back to top |
|
|
3162
Honorary Site Admin
Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452
|
| Posted: Sat Apr 10, 2004 2:57 am Post subject: |
|
|
Thanks for the info.
After reading http://www.securityfocus.com/archive/1/354447 it appears to me that the tag they mentioned ("another script tags and calls LAUNCH.HTML
using the following: .....") could be posted into forums one way or another, couldn't it?
I mean, if some unscrupulous moron spoofed a security bulletin URL, unsuspecting users might click the link and then become infected, right?
Or could it be directly inserted as HTML and still function?
If that's true, then it could wreak havok all over the place.
Please correct me if I'm wrong on this, I'm still trying to get a handle on all the implications of various things.
_________________
Proud member of the Chest Zipper Club! |
|
| Back to top |
|
|
|
member