It is a zero day bug, one of two found in IE this past two weeks. It was publically disclosed. Apparently, someone is using it. Which is not a surprise. Jelmer's Bug: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010013.html A fix for this issue: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010042.html Or, you can turn off Activex and Javascript... But, most people will not do that, and you might as well kill this component anyway. > -----Original Message----- > From: Brent Meshier [mailto:brent@meshier.com] > Sent: Tuesday, September 23, 2003 12:13 PM > To: bugtraq@lists.securityfocus.com > Subject: Re: AIM Password theft > > > Mark, > The code you just sent looks familiar to a SPAM I > received attempting to hijack users' e-gold accounts. Out of > curiosity I followed that link which loaded start.html > (attached). What worries me is that I'm running IE > 6.0.2800.1106 with all the latest patches from Microsoft and > this page (start.html) rewrote wmplayer.exe on my local drive > without notice. After closing the page, I found two .exe > files on my desktop (which loaded from > http://doz.linux162.onway.net/eg/1.exe). > Is this a new > unknown vulnerability? > > Brent Meshier > Global Transport Logistics, Inc. > http://www.gtlogistics.com/ > "Innovative Fulfillment Solutions" > > -----Original Message----- > From: Mark Coleman [mailto:markc@uniontown.com] > Sent: Tuesday, September 23, 2003 11:43 AM > To: bugtraq@securityfocus.org > Subject: [Fwd: Re: AIM Password theft] > > Hi, can anyone shed some light on this for me? If this is new, its > going to spread like wildfire. AOL or incidents lists have yet to > reply.... it appears to be a legitimate threat as I have at > least one > user "infected" already.. Thank you.. > > -Mark Coleman >
