Some AV will catch these because of malware's exploit code which he has reused. Some AV will catch this because of greymagic's exploit code. Which is all fine and good, a bit like a magic trick. Yes, the demonstration exploit is caught... But the worm or trojan exploit someone maliciously sends to your system -- this won't be caught. The only sure way to detect this, I already wrote about [to Bugtraq]. That is by setting a firewall rule which blocks the dangerous mimetype string [Content-Type: application/hta]. Everything else in the exploit can change. But, why merely detect it and risk encoded and other types of AV/IDS/IPS evading techniques? Why not just do this fix? I think, ultimately, it depends on how safe you want to be. Some people do not mind having their systems be at risk. That is their choice. > -----Original Message----- > From: ADBecker@chmortgage.com [mailto:ADBecker@chmortgage.com] > Sent: Monday, September 08, 2003 12:17 PM > To: GreyMagic Software > Cc: Bugtraq; full-disclosure@lists.netsys.com; > http-equiv@excite.com; NTBugtraq; Microsoft Security Response > Center; vulnwatch@vulnwatch.org > Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 > > > > > > > > Updated antivirus software should catch this exploit and > prevent any application from being launched. We have McAfee > VirusScan 7 Ent. which caught both exploit examples at > http://greymagic.com/adv/gm001-ie/ > > Andrew Becker > C.H. Mortgage, D.R. Horton > Phoenix IT/MIS Department > Phone: (866) 639-7305 > Fax: (480) 607-5383 > > > > > > "GreyMagic > > > Software" To: > "NTBugtraq" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, "Bugtraq" > > <security@greymag > <bugtraq@securityfocus.com>, > <full-disclosure@lists.netsys.com>, > ic.com> > <vulnwatch@vulnwatch.org> > > cc: > <http-equiv@excite.com>, "Microsoft Security Response Center" > > 09/08/03 07:52 AM > <secure@microsoft.com>, (bcc: Andrew D Becker/Continental > Homes) > Subject: RE: > BAD NEWS: Microsoft Security Bulletin MS03-032 > > > > > > > > > >The patch for Drew's object data=funky.hta doesn't work: > > This is the exact same issue as > http://greymagic.com/adv/gm001-ie/, which > explains the > problem in detail. Microsoft again patches the object element > in HTML, but it doesn't patch the dynamic version of that > same element. > > >1. Disable Active Scripting > > This actually means that no scripting is needed at all in > order to exploit this amazingly critical vulnerability: > > <span datasrc="#oExec" datafld="exploit" > dataformatas="html"></span> <xml id="oExec"> > <security> > <exploit> > <![CDATA[ > <object data=x.asp></object> > ]]> > </exploit> > </security> > </xml> > > Ouch. > > > > > > > > >
