Wampum

Fake InfoSec or Buffer Overflow and ActiveX

It is not by accident that FireFox (see sidebar) dumps ActiveX junk in the browser's equivalent of /dev/null (the circular file). This is fairly sweet:

... convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE to crash.

Reports indicate that this vulnerability is being exploited by malicious code referred to as MyDoom.{AG,AH,AI} or Bofra.

Of course, causing M$IE 6.0 to crash isn't actually harmful to anything other than M$'s Justice Department staggering reputation as a bit source who's innovation is driven by monopoly market share. Come to think of it, they appear to be spot-on.

MyDoom and/or Bofra via html/email (which only an idiot would send or receive anyway) with an ActiveX assist from the operating system vendor of viral preference. Kwel. Now if we could just get the government and business to mandate M$ and M$IE, we could destroy archyism and capitalism à la fois.

I've put back the link to the win32/en-US (Windows binary, US English localization) Firefox Setup 1.0.exe on the sidebar (there are 25 localizations now, for windows, mac, and linix). It is 4.9MB, or you can fetch it from the Mozilla Foundation directly. Remember, code is art. Enjoy, or ... enjoy.

Hash: SHA1

Technical Cyber Security Alert TA04-336A

Update for Microsoft Internet Explorer HTML Elements Vulnerability

Original release date: December 1, 2004
Last revised: --
Source: US-CERT

Systems Affected

Microsoft Windows systems running

* Internet Explorer versions 6 and later (see MS04-040 for affected
software and components)

* Other programs that host the WebBrowser ActiveX control

Overview

Microsoft Security Bulletin MS04-040 contains an update to fix a
buffer overflow vulnerability in Internet Explorer.

I. Description

TA04-315A describes a buffer overflow vulnerability in Microsoft
Internet Explorer HTML elements that could allow a remote attacker to
execute arbitrary code. Note that any program that hosts the
WebBrowser ActiveX control could be affected. Microsoft Security
Bulletin MS04-040 contains an update to fix this vulnerability.

The vulnerability is described in further detail in VU#842160.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g.,
a web page or an HTML email message), an attacker could execute
arbitrary code with the privileges of the user. The attacker could
also cause IE to crash.

Reports indicate that this vulnerability is being exploited by
malicious code referred to as MyDoom.{AG,AH,AI} or Bofra.

III. Solution

Install an update

Install the appropriate update according to Microsoft Security
Bulletin MS04-040. For additional information about the update,
including possible adverse effects, please see Microsoft Knowledge
Base articles 889293 and 889669.

Appendix A. References

* Microsoft Security Bulletin MS04-040 -

* MS04-040: Cumulative Security Update for Internet Explorer (IE 6.0
SP1) -

* An update rollup is available for Internet Explorer 6 SP1 -

* US-CERT Technical Cyber Security Alert TA04-315A -

* Vulnerability Note VU#842160 -

* About the Browser (Internet Explorer - WebBrowser) -

_________________________________________________________________

Feedback can be directed to the authors: Will Dormann and Art Manion.

Send mail to .

Please include the Subject line "TA04-336A Feedback VU#842160".

Posted by EBW at December 1, 2004 08:39 PM | TrackBack