[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200404062156.i36LuvW9001159@web129.megawebservers.com>
From: 1 at malware.com (http-equiv@...ite.com)
Subject: IE exploit going around on irc
<!--
I thought you were already aware of the text/x-scriptlet
object variation of Ibiza which was exploited in the wild before
Ibiza
was even discussed on Bugtraq
-->
Really? I be most interested in seeing a reference to that. The
time-line I have is:
1. On Wednesday, February 11, 2004 3:21 AM someone sent me a
link to www.ibiza-victoria.com which was riddled with images
and iframes pointing to the chm file. At the time nothing
happened when viewing it as it used the object code base in the
chm to trigger which was patched on XP, as a result no further
examination took place.
2. Liu Die's fake mhtml redirect was published on December 2003
along with minor mentions of similar fake file tricks prior to
that.
3. On Sat Mar 27 2004 - 13:17:45 CST the "new worm?" thread was
posted on bugtraq. At the time I took Internet Explorer to the
address and port mentioned in the post and actually infected my
self. Closer examination revealed the exact same technique as
ibiza that is with iframes and images used to render, draw to
the cache and refresh in order to activate it.
4. Trying to reproduce on my server failed and at that time I
placed it in an object with type="text/x-scriplet" without the
need for refresh or images to cache the file or iframes to
render it. Hence my notation with the demo of a more robust
method.
5. Punching in <object data="ms-its:mhtml: to google which is
the core of this, reveals nothing prior to April. That is object
with type="text/x-scriptlet and referencing a non-exsistent
mthml file inside a chm to redirect to the local file.
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%
3Cobject+data%3D%22ms-its%3Amhtml%3A&btnG=Search
Therefore when and when exactly was this same technique used
prior to ibiza being posted on bugtraq.
This is not about semantics but accuracy in security which
without it, leads to insecurity or no security at all.
--
http://www.malware.com
Powered by blists - more mailing lists