Saturday, December 15, 2001 "Jouko Pynnonen" <jouko@solutions.fi> wrote in message > VENDOR STATUS > > Microsoft was initially contacted on November 19th with the information > regarding the "file extension spoofing" problem. The Security Warning > dialogs of IE5 could be bypassed with that exploit, but the "automatically > start an .exe" variation of the vulnerability wasn't known at the time. > Microsoft didn't consider the file extension spoofing problem a security > vulnerability. The company was informed about the new variation on > November 27th and started working on a patch to correct the flaw. The > patch is now out and downloadable on Microsoft's site at > > http://www.microsoft.com/technet/security/bulletin/MS01-058.asp She and her beta team forgot about *the* most important Content-Type: Clearly what this so-called "patch" does is convert all embedded file types in MHTML documents viewed in patched Internet Explorer 6 into *.TMP files. Previously all file types and file names were retained and if accepted would run. What that means is when prompted for 'opening or saving', [screen shot: http://www.malware.com/dumbload.jpg 14KB], if your hand should slip or if you do not know any better and select 'open', because the file extension is *.TMP, you will be asked 'what do you want to open the file with' (screen shot: http://www.malware.com/sesame.jpg 20KB) which does indeed kill any accidental or running of the file. Working example: [open in IE6 "patched"] http://www.malware.com/badman.zip 11KB Before the patch and under an MTHML file situated on the web site and viewed with Internet Explorer 6, you would be in a position to manipulate the file extension and download box as displayed here: [screen shot: http://www.malware.com/ohno.jpg 27KB] Now with the so-called "patch", regardless of the filename="malware.exe" or the Content-Type: image/gif; combination, everything is effectively converted to a *.TMP file in the Temporary Internet File. Attempting to open the *.TMP, depending on what it is will either bring up the 'what do you want to open the file with' box, or display the file as plain text. Dangerous files such as *.exe or *.scr or *.bat simply will not run if you elect to run the file through the Internet Explorer 6 patched browser. Sounds good. Unfortunately, while she did a fairly reasonable job on this so-called "patch" she forgot one of the most important content-types. Her very own invention. The one and only: Content-Type: application/hta; We are still able to invoke a download, that if accepted will execute our malware on the target computer, through the "patched" Internet Explorer 6. This newly found creation of download file conversion through MHTML to generic *.TMP file name on the download box coupled with the 'supposed' security of this so-called "patch" will most definitely yield plenty of quick prey: Working Example: [self explanatory includes harmless *.exe, open in IE6 "patched"] http://www.malware.com/dumbload.zip 4KB Notes: 1. We note that this patch has zero effect on Outlook Express 6 and the ability to "spoof" file names [see: http://www.securityfocus.com/bid/3271]. Coming up 17 months and counting now. 2. Workhorse: Windows 98 and Internet Explorer 6.0.2600 and this so-called "patch". 3. Seasons Greetings to Everyone. Yeah you too, incompetent slobs. End Call --- http://www.malware.com ______________________________________________________________________________ Send a friend your Buddy Card and stay in contact always with Excite Messenger http://messenger.excite.com
