lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: ACastigliola at (Castigliola, Angelo)
Subject: Spyware installs with no interaction in IE on fully patched XP SP2 box

I am sure there is a configuration setting or software (perhaps the
software made the configuration change) that is preventing this from
installing on your computer. 

I tested with a default XP SP1 install with all the Microsoft Updates
that have been applied to stop this type of IE hack. The spyware still
installs itself on the machine.

XP SP1 with the following patches:;en-us;814078;en-us;816093;en-us;823182;en-us;825119;en-us;832894;en-us;835732;en-us;840374;en-us;840315;en-us;839645;en-us;867801

These are _ALL_ the Microsoft Updates that specifically patch up IE

My question to the forum is: If this is not a 0-day IE exploit that
allows software to install on a computer with no user interaction then
what Microsoft Update applies to this exploit?

Again I fear there is no Microsoft Update available that will fix this

Can someone confirm that a Default install of XP SP2 with all patches
will not stop spyware from from installing?

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services

-----Original Message-----
[] On Behalf Of Alla
Sent: Tuesday, October 05, 2004 7:01 AM
Subject: Re: [Full-Disclosure] Spyware installs with no interaction in
IE on fully patched XP SP2 box

Carr, Robert wrote:
> Interesting...
> I just went there, and he's right. installed without 
> permission. My McAfee picked it right up as Atpartners.dll, downloaded

> to Temp Internet files. Spyware detected as NetPals. On the other 
> hand, I'm admin of my machine, I wonder if a "user" would get an error

> message about not having the correct rights...

I have tested it on Windows XP SP2 and on fully patched Windows 2000. In

both cases _nothing_ gets run or installed. Both systems are more or 
less standard installations without any special IE hardening (except 

When I surf to the site with Windows XP "Installing components..." briefly appears in the status bar and then the site gets

displayed. Under the normal browser bars there is a message saying "The 
site might require the following ActiveX control: FREE on-line games and

special offers from... Click here to install...". I don't click on it. 
Searching the disk for or atpartners.dll finds nothing. 
The CLSID of the ActiveX control only appears in the registry in 

With Windows 2000 I also get "Installing components..." 
in the status bar and then the dialog box asking if I want to install 
"Free online games from". This is a usual dialog box you get

when a page attempts to install an ActiveX control. If I click "No", 
nothing gets installed, no atpartners files on the file system, no 
traces of the CLSID in the registry.

I suppose the cab file gets downloaded so that Windows can read and 
display the signature of the file. It does not get run or installed 
unless explicitly  permitted by user.

So, as far as I can see this is no 0-day.


Full-Disclosure - We believe in it.

Powered by blists - more mailing lists