| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Apr 2004 13:07:57 -0400 From: BugtraQ <bugtraqFolder@...services.com> To: bugtraq@...urityfocus.com Subject: RE: Netsky.R, auto execute w/ IE6 ? Thanks Jim, and all who replied. Updating MS Office w/ latest patches solved the problem. It appears it was the iframe issue you mentioned. Here is the message source for those who asked: ----------------------------------------------------------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="MSHTML 5.00.2920.0" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff><br>Mail Delivery - This mail couldn't be displayed<br><br>------------- failed message -------------<br>?2a$dmd-ekH-U?3C)7>JA!p|jxvM>g;öOigLW*8hiE<br>G1!K&o*(yßKAL #s7sMJwAmS2105NtW3%efpG7?$V)4(vf#><br>jHtC8HWc4VfUgtU2l55aWMD.PJK7.YD8bä:)pa cn|$qhz<br>Vü8sßZmQV4goigoLHcu$w%1hxo|ACKw0B8&ßOvüma,ö<br>V&;N>1:G<br><br>Me ssage has been sent as a binary attachment.<br> Or you can view the message at:<br><br> <a href=cid:121401Mfdab4$3f3dL780$75387018@...81fa70Re height=0 width=0>www.targetdomain.com/inmail/webmaster/mread.php?sessionid-20302</a> <iframe src=cid:121401Mfdab4$3f3dL780$75387018@...81fa70Re height=0 width=0></iframe> <DIV> </DIV></BODY></HTML> ------------------------------------------------------------------ -----Original Message----- From: James C Slora Jr [mailto:Jim.Slora@...a.com] Sent: Friday, April 02, 2004 2:30 PM To: 'BugtraQ'; bugtraq@...urityfocus.com Subject: RE: Netsky.R, auto execute w/ IE6 ? > I have received several emails (W2K, Outlook 2000) > that appear to be Netsky.Q or Netsky.R. When > opened these emails launch the attachment automatically. > Just to be sure, I did a windows update for all the > latest security patches. Even after this, Outlook > still opens the attached file on viewing the email. The MIME vulnerability should not affect you given the configuration you said you have. Netsky-Q also uses an iframe to try to autolaunch, though - that is probably what you are seeing. Your security settings in Outlook are probably not set to protect against iframe launches. Make sure your mail client is running in the Restricted Sites security zone (Tools>Options>Security>Zone Settings), and that the "Launching Programs and Files in an Iframe" right is set to "disabled" within that zone. Netsky.Q uses the following methods to try to execute the hostile attachment: ***** The social engineering setup: <BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br> follow the link to read the delivered message.<br><br> Received message is available at:<br> A clickable link looks like it points at hotjobs but actually points to embedded executable: <a href=3Dcid:031401Mfdab4$3f3dL780$73387018@...81fa70Re height=3D0 width=3D0>www.hotjobs.com/inbox/serviceupdate/read.php?sessionid-4524</a> **** An I-Frame tries to auto-execute the embedded executable: Prevent this by running the mail client within the Restricted Sites security zone, and by ensuring "Launching Programs and Files in an Iframe" is disabled within that zone. <iframe src=3Dcid:031401Mfdab4$3f3dL780$73387018@...81fa70Re height=3D0 width=3D0></iframe> <DIV> </DIV></BODY></HTML> **** And finally the MIME type vulnerability tries to auto-execute the embedded executable. This exploit should be stopped by IE 6 or by MS01-020. Your computer probably does not try to execute from this. ------=_NextPart_001_001C_01C0CA80.6B015D10-- ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name="message.scr" Content-Transfer-Encoding: base64 Content-ID:<031401Mfdab4$3f3dL780$73387018@...81fa70Re>
Powered by blists - more mailing lists