Lane

It an exploit that lets the attacker execute any code on the victims computer and edit the registry too. The victim can be infected simply by visiting a webpage.

I have all windows security updates and patches installed, it still works on my browser. I asked a few people to test it, it worked for them too.

I tried to submit a form to microsoft, which said they would get back to me in 24 hours, but they havent.. and i would surprised if they even read that shit.

What do you suggest I should do about this?

__________________

Lane

I havent discovered it, i just found it on a webpage that tried to run ftp on my machine to download some exe files to my pc, and only zonealarm could stop it from happening...

i looked through the code to figure out how it works and demonstrated it with some other harmless code and verified that it works.

__________________

Muff

If you want to get something done fucking going to Microsoft.

Goto the media. Goto wirednews.com cnn.com etc.. email them all and it will be patched in no time.

Lane

I'm sure a lot of those proxy selling people install shit to people's computers with this method..

__________________

Lonny

Good luck trying to send it to MSoft, The'll tell you to were aware of the problem wait for a patch to come out for the exploit...

__________________

brand0n

set it up to run auto run a dialer and send all your traffic there

j/k yea what he said, contact the media

__________________

EscortBiz

icq me ill give you the contact number of a top guy there

__________________

Spanking, Medical Fetish, Sleeping, Strap-on Anal Lesbians, Girls Fucking Guys, Handjob site REAL HOT, Shemales, Anal and Ass Licking sites 100% Real EXCLUSIVE with amazing retention, ccbill payouts, lots of content FREE FTP HOSTING

Promote the largest and oldest member paid escort site, Converts 10 times better then any dating site, CCBill payouts

ICQ# 158802076

Rorschach

Switch to Linux.

Lane

thanks

__________________

Lonny

__________________

rowan

Lane, not sure if it's the same exploit, but I recently had a web page create and execute an EXE file on my desktop without warning. I'm up to date with patches and I have active-x on prompt.

I copied the vbscript and changed the name of the file it executes to something harmless like notepad.exe - but I couldn't reproduce it, I kept getting warnings that the script wasn't permitted to execute the file. I'm still scratching my head.

Naughty

Gotta love Escort P.I.

__________________
seks.ai for sale - ping me

Lane

lol, i did almost the same thing, i had it run wordpad and change my homepage, but mine worked

__________________

Lane

Uhm, lemme put it this way.. i wanna do something about it, i dont wanna just protect myself

__________________

Lane

another note: anti-virus software doesnt pick up this shit either.. i am running norton 2003 pro

__________________

Forest

I agree with mutt

the media

wirednews

cnbc

msnbc

they have the platform to get microsofts attn

Lane

and how do i get the media's attention?

__________________

Freestyleman

i guess you mean the vulnerable object code thing?

Lane

something like that
pretty much the same exploit that used to be on IE5 that was patched long ago, but there is way to do it on IE6

__________________

SomeCreep

tell securityfocus.com

__________________

Webair Hosting

I use and recommend Webair for hosting.

Preacher

RainMailer

Where did you find this exploit? I want to see if my machines are vulnerable. Oh yeah Phoenix rocks I worked there for like 3 months. Had fun even tho I found myself lost in the desert a few times and enjoyed driving like a madman with the rest of the people in phoenix.

__________________
harbinc at gmail dot com

extreme

Its a well known vuln ... a variant of the latest IE vuln. Norton catched one variant of it but I guess it can be bypassed pretty easily with some mods. I think switching off DirectX makes you resistant to it. Microsoft will prob. come out with a patch in a few days.

__________________

goBigtime

I always thought you worked for Jupiter?

goBigtime

There are a couple exploits that were "patched" but not fixed.

They know about it, they just haven't fixed it yet.

http://www.microsoft.com/technet/tre...n/MS03-026.asp

http://www.microsoft.com/technet/tre...n/MS03-039.asp

http://www.microsoft.com/technet/tre...n/MS03-032.asp


There was a email on Bugtraq a few days ago giving an example how scripting doesn't even need to be enabled for it to work.


I posted it here a few days ago as well.


The best thing to do is to change your IE security level to HIGHEST (to turn off scripting, cookies, activeX etc) until it's properly patched.


I'm not sure if Mozilla or Opera is vulnerable on this one... someone said it was. I haven't had a chance to check yet.... but I've been thinking about switching to Mozilla for awhile now.


Btw, this exploit also works in Outlook. Meaning, you can just get emailed the exploit & a trojan and you're infected.

One of the drawbacks of using the most popular applications I guess

Snowone

Yep. These guys will get miscrsoft's attention. And will get the media attention.

goBigtime

Securityfocus knows about them, MicroSoft knows about them.

One of these exploits has been talked about on there (BugTraq) for almost a year.

goBigtime

Lane,

You can rename mshta.exe or block it with your (software) firewall... try that & see if the exploit you found still works.

If you need a good software firewall, search for pf2.exe on google and get version 2.0.15... the last freeware version.

foe

post a link to it here, I would like to see what it does

Lane

Ok, i just found out that this has been submitted to securityfocus.. they also confirm that it allows execution of arbitrary code.. they also say, "Currently we are not aware of any vendor-supplied patches for this issue."

__________________

goBigtime

a temporary fix is here..

http://www.securityfocus.com/archive/1/336625


You basically change the registry key that identifies the evil content type...

Content Type application/hta

And change it to something that someone wouldnt guess.. like


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\ Content Type\application/htaHqlkriyuYUW4234HDSehn

instead of

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\ Content Type\application/hta

Lane

I think that would solve the problem.. But i didnt really post this to figure out how to protect myself.. There are scammers out there installing dialers and proxies to people's computers. I'm just surprised that an exploit that works since IE5 still isn't fixed.

First I was searching google for the pieces of code, but only getting info about the IE5 exploit, and it would say the windowsupdate patches would fix it, blah blah... Now on securityfocus i found the same exploit and they also say that there is no patch for this.. I'm just pissed that its so easy to hack someones pc and do whatever you want with it..

__________________

goBigtime

I think the other one might be good too/better... since they wont be able to execute .hta files....

But this is all just for MS03-032 there were two other bad ones recently.

goBigtime

Welcome to Windows

hyper

__________________

cluck

Just use a run of the mill browser hijack registry changing script and make it edit the IE security settings. Then use an activex dialer type script and point it to the exe of your choice. I've been able to do this for at least 2 years.

__________________
icq 279990726
www.mcdonalds.com <- great money making opportunity

Jimbo

use the exploit on your traffic to auto download/exec a patch of this exploit.

__________________
free sex videos

butcherboy

Hi man!

Sending bugs to M$soft is useless! Taking media attention...hum and so what will happen? It's better to send this stuff to Anti-virus software companies...

And this any many more exploits you can find here:
http://www.guninski.com

This guy discovered them since few years! Send them to M$soft and ... nothing happens from them...

__________________
---some wise words goes here--

blazin

Good idea, Ask for some loot too!

com

From experience if you submit proof of concept code to MS or even a warning they'll tell you to shut up and come out with a patch a month later.

__________________

wsjb78

I rather tend to think if MS fixes that exploit they will create at least two new exploits by doing so...

wsjb78

__________________
<br>Check backlinks of your sites
Get your Daily Google PR list here
ICQ: 171751720 <--> Always looking for new Sponsors

joseph4829

I agree.

__________________
Joe, Master Web Developer, ICQ: 280 889 133
CollegeSucks.com: Trade Links (PR 6) / $2 Advertising

On average, my site sends back 3 times as much traffic. Trade links?

bigdog

thats why it very import to run a software firewall to see what applications are try trying to acccess the internet and your computer

TheFLY

Yeah Lane sent me the code -- it's amazingly simple... It would be cool Lane if Wired magazine or something gave our industry some credit for being honest about this crap... That would be refreshing...

Lane

**BUMP**

its about fucking time Microsoft patched this shit. my pc just autodownloaded the IE patch. if you still havent, just go to windowsupdate and get your shit fixed.

i wonder how many fresh proxy suppliers will go out of biz now! haha

__________________

makefuckingmoney

haha
microsoft
eeks

JDog

Yep, exactly what will happen! Kill Bill Gates Sounds good"

jDoG

__________________
NSCash now powering ReelProfits.com
ALSO FEATURING: NSCash.com :: SoloDollars.com :: ReelProfits.com :: BiminiBucks.com :: VOD
PROGRAMS COMING SOON: Greedy Bucks :: Vengeance Cash
NOW OFFERING OVER 60 SITES
CONTACT :: JAMES SMITH :: CHIEF TECHNOLOGY OFFICER :: ICQ (711385133)