I have found an IE6 exploit, what should I do?

[Lane]

It an exploit that lets the attacker execute any code on the victims computer and edit the registry too. The victim can be infected simply by visiting a webpage.

I have all windows security updates and patches installed, it still works on my browser. I asked a few people to test it, it worked for them too.

I tried to submit a form to microsoft, which said they would get back to me in 24 hours, but they havent.. and i would surprised if they even read that shit.

What do you suggest I should do about this?

[Lane]

I havent discovered it, i just found it on a webpage that tried to run ftp on my machine to download some exe files to my pc, and only zonealarm could stop it from happening...

i looked through the code to figure out how it works and demonstrated it with some other harmless code and verified that it works.

[Muff]

If you want to get something done fucking going to Microsoft.

Goto the media. Goto wirednews.com cnn.com etc.. email them all and it will be patched in no time.

[Lane]

I'm sure a lot of those proxy selling people install shit to people's computers with this method..

[Lonny]

Good luck trying to send it to MSoft, The'll tell you to were aware of the problem wait for a patch to come out for the exploit...

[brand0n]

set it up to run auto run a dialer and send all your traffic there

j/k yea what he said, contact the media

[EscortBiz]

icq me ill give you the contact number of a top guy there

[Rorschach]

Switch to Linux.

[Lane]

Quote:

Originally posted by EscortBiz
icq me ill give you the contact number of a top guy there

thanks

[Lonny]

Quote:

Originally posted by Rorschach
Switch to Linux.

[rowan]

Lane, not sure if it's the same exploit, but I recently had a web page create and execute an EXE file on my desktop without warning. I'm up to date with patches and I have active-x on prompt.

I copied the vbscript and changed the name of the file it executes to something harmless like notepad.exe - but I couldn't reproduce it, I kept getting warnings that the script wasn't permitted to execute the file. I'm still scratching my head.

[Naughty]

Quote:

Originally posted by EscortBiz
icq me ill give you the contact number of a top guy there

Gotta love Escort P.I.

[Lane]

Quote:

Originally posted by rowan
Lane, not sure if it's the same exploit, but I recently had a web page create and execute an EXE file on my desktop without warning. I'm up to date with patches and I have active-x on prompt.

I copied the vbscript and changed the name of the file it executes to something harmless like notepad.exe - but I couldn't reproduce it, I kept getting warnings that the script wasn't permitted to execute the file. I'm still scratching my head.

lol, i did almost the same thing, i had it run wordpad and change my homepage, but mine worked

[Lane]

Quote:

Originally posted by Rorschach
Switch to Linux.

Uhm, lemme put it this way.. i wanna do something about it, i dont wanna just protect myself

[Lane]

another note: anti-virus software doesnt pick up this shit either.. i am running norton 2003 pro

[Forest]

I agree with mutt

the media

wirednews

cnbc

msnbc

they have the platform to get microsofts attn

[Lane]

Quote:

Originally posted by Forest
I agree with mutt

the media

wirednews

cnbc

msnbc

they have the platform to get microsofts attn

and how do i get the media's attention?

[Freestyleman]

i guess you mean the vulnerable object code thing?

[Lane]

Quote:

Originally posted by Freestyleman
i guess you mean the vulnerable object code thing?

something like that
pretty much the same exploit that used to be on IE5 that was patched long ago, but there is way to do it on IE6

[SomeCreep]

tell securityfocus.com

[Preacher]

[RainMailer]

Where did you find this exploit? I want to see if my machines are vulnerable. Oh yeah Phoenix rocks I worked there for like 3 months. Had fun even tho I found myself lost in the desert a few times and enjoyed driving like a madman with the rest of the people in phoenix.

[extreme]

Its a well known vuln ... a variant of the latest IE vuln. Norton catched one variant of it but I guess it can be bypassed pretty easily with some mods. I think switching off DirectX makes you resistant to it. Microsoft will prob. come out with a patch in a few days.

[goBigtime]

Quote:

Originally posted by Lane
It an exploit that lets the attacker execute any code on the victims computer and edit the registry too. The victim can be infected simply by visiting a webpage.

I have all windows security updates and patches installed, it still works on my browser. I asked a few people to test it, it worked for them too.

I tried to submit a form to microsoft, which said they would get back to me in 24 hours, but they havent.. and i would surprised if they even read that shit.

What do you suggest I should do about this?

I always thought you worked for Jupiter?

[goBigtime]

There are a couple exploits that were "patched" but not fixed.

They know about it, they just haven't fixed it yet.

http://www.microsoft.com/technet/tre...n/MS03-026.asp

http://www.microsoft.com/technet/tre...n/MS03-039.asp

http://www.microsoft.com/technet/tre...n/MS03-032.asp


There was a email on Bugtraq a few days ago giving an example how scripting doesn't even need to be enabled for it to work.


I posted it here a few days ago as well.


The best thing to do is to change your IE security level to HIGHEST (to turn off scripting, cookies, activeX etc) until it's properly patched.


I'm not sure if Mozilla or Opera is vulnerable on this one... someone said it was. I haven't had a chance to check yet.... but I've been thinking about switching to Mozilla for awhile now.


Btw, this exploit also works in Outlook. Meaning, you can just get emailed the exploit & a trojan and you're infected.

One of the drawbacks of using the most popular applications I guess

[Snowone]

Quote:

Originally posted by SomeCreep
tell securityfocus.com

Yep. These guys will get miscrsoft's attention. And will get the media attention.

[goBigtime]

Quote:

Originally posted by Snowone


Yep. These guys will get miscrsoft's attention. And will get the media attention.

Securityfocus knows about them, MicroSoft knows about them.

One of these exploits has been talked about on there (BugTraq) for almost a year.

[goBigtime]

Lane,

You can rename mshta.exe or block it with your (software) firewall... try that & see if the exploit you found still works.

If you need a good software firewall, search for pf2.exe on google and get version 2.0.15... the last freeware version.

[foe]

post a link to it here, I would like to see what it does

[Lane]

Ok, i just found out that this has been submitted to securityfocus.. they also confirm that it allows execution of arbitrary code.. they also say, "Currently we are not aware of any vendor-supplied patches for this issue."

[goBigtime]

a temporary fix is here..

http://www.securityfocus.com/archive/1/336625


You basically change the registry key that identifies the evil content type...

Content Type application/hta

And change it to something that someone wouldnt guess.. like


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\ Content Type\application/htaHqlkriyuYUW4234HDSehn

instead of

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\ Content Type\application/hta

[Lane]

Quote:

Originally posted by goBigtime
Lane,

You can rename mshta.exe or block it with your (software) firewall... try that & see if the exploit you found still works.

If you need a good software firewall, search for pf2.exe on google and get version 2.0.15... the last freeware version.

I think that would solve the problem.. But i didnt really post this to figure out how to protect myself.. There are scammers out there installing dialers and proxies to people's computers. I'm just surprised that an exploit that works since IE5 still isn't fixed.

First I was searching google for the pieces of code, but only getting info about the IE5 exploit, and it would say the windowsupdate patches would fix it, blah blah... Now on securityfocus i found the same exploit and they also say that there is no patch for this.. I'm just pissed that its so easy to hack someones pc and do whatever you want with it..

[goBigtime]

I think the other one might be good too/better... since they wont be able to execute .hta files....

But this is all just for MS03-032 there were two other bad ones recently.

[goBigtime]

Quote:

Originally posted by Lane

I'm just pissed that its so easy to hack someones pc and do whatever you want with it..

Welcome to Windows

[hyper]

[email protected]

[cluck]

Just use a run of the mill browser hijack registry changing script and make it edit the IE security settings. Then use an activex dialer type script and point it to the exe of your choice. I've been able to do this for at least 2 years.

[Jimbo]

use the exploit on your traffic to auto download/exec a patch of this exploit.

[butcherboy]

Hi man!

Sending bugs to M$soft is useless! Taking media attention...hum and so what will happen? It's better to send this stuff to Anti-virus software companies...

And this any many more exploits you can find here:
http://www.guninski.com

This guy discovered them since few years! Send them to M$soft and ... nothing happens from them...

[blazin]

Quote:

Originally posted by butcherboy
It's better to send this stuff to Anti-virus software companies...
them...

Good idea, Ask for some loot too!

[com]

From experience if you submit proof of concept code to MS or even a warning they'll tell you to shut up and come out with a patch a month later.

[wsjb78]

I rather tend to think if MS fixes that exploit they will create at least two new exploits by doing so...

wsjb78

__________________
<br>Check backlinks of your sites
Get your Daily Google PR list here
ICQ: 171751720 <--> Always looking for new Sponsors

[joseph4829]

Quote:

Originally posted by Muff
If you want to get something done fucking going to Microsoft.

Goto the media. Goto wirednews.com cnn.com etc.. email them all and it will be patched in no time.

I agree.

[bigdog]

thats why it very import to run a software firewall to see what applications are try trying to acccess the internet and your computer

[TheFLY]

Yeah Lane sent me the code -- it's amazingly simple... It would be cool Lane if Wired magazine or something gave our industry some credit for being honest about this crap... That would be refreshing...

[Lane]

**BUMP**

its about fucking time Microsoft patched this shit. my pc just autodownloaded the IE patch. if you still havent, just go to windowsupdate and get your shit fixed.

i wonder how many fresh proxy suppliers will go out of biz now! haha

[makefuckingmoney]

haha
microsoft
eeks

[JDog]

Quote:

Originally posted by ikonworx
Good luck trying to send it to MSoft, The'll tell you to were aware of the problem wait for a patch to come out for the exploit...

Yep, exactly what will happen! Kill Bill Gates Sounds good"

jDoG