lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <freemail.20040510101421.26543@fm4.freemail.hu>
From: etomcat at freemail.hu (Feher Tamas)
Subject: FD info prompts M$ to summon the FBI on spy-vertisers

http://zdnet.com.com/2100-1105-5229707.html 

IE flaws used to spread pop-up toolbar
by Robert Lemos, CNET News, 09 June 2004

An adware purveyor has apparently used two previously unknown 
security flaws in Microsoft's Internet Explorer browser to install a 
toolbar on victims' computers that triggers pop-up ads, researchers 
said this week. 

One flaw lets an attacker run a program on a victim's machine, while 
the other enables malicious code to "cross zones," or run with 
privileges higher than normal. Together, the two issues allow for the 
creation of a Web site that, when visited by victims, can upload and 
install programs to the victim's computer, according to two analyses of 
the security holes. 

The possibility that a group or company has apparently used the 
vulnerabilities as a way to sneak unwanted advertising software, or 
adware, onto a user's computer could be grounds for criminal charges, 
said Stephen Toulouse, security program manager for Microsoft. 

"We consider that any use of an exploit to run a program is a criminal 
use," he said. "We are going to work aggressively with law 
enforcement to prosecute individuals or companies that do so." 

Microsoft learned of the issue when a security researcher posted an 
analysis of the problem to the Full Disclosure security mailing list 
Monday. The software giant has already contacted the FBI and is in 
the "early stages" of building the case, Toulouse said. The company is 
considering creating a patch quickly and releasing it as soon as 
possible, rather than waiting for its usual monthly update. 

The flaws are apparently being used to install the I-Lookup search bar, 
an adware toolbar that is added to IE's other toolbars. The adware 
changes the Internet Explorer home page, connects to one of six 
advertising sites and frequently displays pop-ups--mainly pornographic 
ads, according to an adware advisory on antivirus company Symantec's 
Web site. 

On Tuesday, security information group Secunia released an advisory 
about the problem, rating the two flaws "extremely critical." 

"Secunia has confirmed the vulnerabilities in a fully patched system with 
Internet Explorer 6.0," the group wrote. "It has been reported that the 
preliminary SP2 (a major security update being developed by Microsoft) 
prevents exploitation by denying access." 


The flaws could let any attacker with a Web site send an e-mail 
message or an instant message with a link that, when clicked on by an 
Internet Explorer user, would cause a program to run on that victim's 
computer. 

The original analysis, written by a Netherland student researcher, 
Jelmer Kuperus, who found that the type of programming needed to 
take advantage of at least one of the flaws required sophisticated 
knowledge of the Windows operating system. 

"While sophisticated, it's so easy to use, anyone with basic computer 
science can set up such a page, now that the code is out there in the 
open," Kuperus wrote in an e-mail interview with CNET News.com. "It's 
just a matter of changing two or three (Internet addresses) and 
uploading another" executable file. 

Kuperus, who used an e-mail account based in the Netherlands, wrote 
in a Monday e-mail that he had been tipped off to the adware Trojan 
horse by an unnamed individual. 

"Being rather skeptical, I carelessly clicked on the link only to witness 
how it automatically installed adware on my PC!" he wrote. 

The Internet address from which the adware Trojan horse was 
downloaded resolves to I-Lookup.com, a search engine registered in 
Costa Rica that antivirus firms Symantec and PestPatrol have linked to 
aggressive advertising software. Two of the top three searches on the 
site relate to removing such programs, according to I-Lookup.com's 
own statistics. 

A domain name search shows i-Lookup.com's parent company to be 
Aztec Marketing, but Pest Patrol links the site with iClicks Internet. E-
mails sent to both companies for comment were not immediately 
answered. 

Kuperus believes that i-Lookup.com's parent company may not be 
directly responsible for the adware-installing Trojan horse program, but 
that it could be rewarding the creator through an affiliate program. 

"It does pass along a referrer code when downloading," he 
said. "Whomever created this probably is getting money for every 
install, so if the folks at (i-Lookup.com) would be willing, they would be 
able to track down the perpetrators." 

Microsoft's Toulouse said Internet Explorer users could harden the 
software against such attacks by following instructions on the 
company's site. Other browsers available on Windows, such as Opera 
and Mozilla, do not contain the flaws. 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ