Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
From: Feher Tamas (etomcatfreemail.hu)
Date: Wed Feb 18 2004 - 12:50:22 CST
>Now all we have to do is create a BMP with bfOffBits > 2^31,
>and we're in. cbSkip goes negative and the Read call clobbers
>the stack with our data. See attached for proof of concept.
>index.html has [img src=1.bmp] where 1.bmp contains
>bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
>Brings down IE5 / OE5 (tested successfully on Win98)
Kaspersky Lab's AVP (and possibly other vendors') antivirus suites now
detect the presence of this method in files by the name "Suspicion:
So any future worm or virus that tries to use this attack vector to inject
itself automatically should be stopped from the very first minute. Even if
it is a brand new malware.
Sincerely: Tamas Feher.
Full-Disclosure - We believe in it.