There have been enough questions about this message to make me think its worth taking a stab at an explanation;

1. Microsoft spent the weekend testing how to make the malware.com sample HTML file remotely exploitable. They couldn't find a way in that short period of time.

2. http-equiv never claimed this vulnerability could be remotely exploited. Basically, they discovered a vulnerability in the way IE handles files with .chm in their name. That's worth knowing! That it appears the only way to cause the execution is by having the file on your disk already and call it from there is another matter.

3. The risks associated with the discovery don't come from the discovery itself. Another attack vector needs to be used to make direct use of the http-equiv discovery. If someone discovers some way to call the Self-Executing HTML file remotely, then that discovery will be the attack vector. If, in order to exploit the discovery by http-equiv, I have to place a file on your machine and then remotely call it, I could probably do that with any file.

That all said, the discovery does cause us to re-assess the risks associated with HTML files, and that was http-equiv's point I believe. If, for example, you're simply looking for HTML-scripting in HTML files then this type may get past your scanner.

I call these sorts of things "components". The discovery may become a component of some future attack. By giving us the information before spending the time trying to turn it into a remotely exploitable attack (whether or not they could do that isn't important), we can look at ways of mitigating against attacks that may be using this component. Scanning all file types with AV, for example, is one way of mitigating against the vulnerability being exploited.

Another fix being worked on by Microsoft has the side-effect of addressing the discovery by http-equiv. That fix should be available soon.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]