Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Politics : PRESIDENT GEORGE W. BUSH -- Ignore unavailable to you. Want to Upgrade?

To: sandintoes who wrote (666237)	12/27/2004 12:53:08 PM
From: DuckTapeSunroof	Read Replies (1) \| Respond to of 769670

Just an area where I have some expertiese.... You are, of course, free to use any monopoly buggie software you want to... not any skin off of my nose. (But people who come to me for tech help will generally get my honest recomendations as to how best to avoid virus/trojan/spyware compromises... and those who persist in bad practices generally are made the butt of jokes....)

To: sandintoes who wrote (666237)	12/27/2004 1:37:29 PM
From: DuckTapeSunroof	Read Replies (1) \| Respond to of 769670

Just a few of the most recent reported issues: (1) HIGH: Microsoft Windows HTML Help ActiveX Control Vulnerability Affected: Internet Explorer version 6.0 Windows XP SP2 Description: This vulnerability in the HTML Help ActiveX Control can be used to completely compromise a Windows client. An attacker can exploit the flaw by constructing a malicious webpage or an HTML email. Browsing the webpage or opening the email is sufficient for the client compromise i.e. no further user interaction is required. The problem occurs because it is possible to inject JavaScript code in the HTML Help ActiveX control's parameters. By forcing the control to open a local file, it is then possible to execute the JavaScript code in the context of the "Local Computer" zone. Technical details and a proof-of-concept exploit have been publicly posted. The PoC exploit, when run on Windows XP SP2, creates "Microsoft Office.hta" file in the "Documents and Settings\All Users\Start Menu\Programs\Startup" directory. Status: Microsoft not confirmed, no patches available. A workaround is to disable "Active Scripting" in Internet Explorer. Council Site Actions: Due to holidays and the late-breaking nature of the issues, we were unable to solicit any council site responses. References: Posting by Paul freehost07.websamba.com PoC Exploit (Warning: Clicking the following link will launch the PoC Exploit) freehost07.websamba.com SecurityFocus BID Not yet available. ********************************************************************* (2) HIGH: Microsoft Windows USER32 Library LoadImage Buffer Overflow Affected: Windows NT/2000/XP SP0 and SP1/2003 Description: USER32 library contains Windows API functions for user interface handling. The "LoadImage" function is responsible for handling files such as icons, cursors, animated cursors and bitmaps. The "LoadImage" function reportedly contains a heap-based buffer overflow that can be triggered by a specially crafted icon, cursor or a bitmap file. The problem occurs because the declared image size is not checked prior to opening the image. The flaw may be able to be exploited to execute arbitrary code on the client. To exploit the flaw, an attacker can take any of the following actions: (a) Create a webpage containing a malicious .ico, .bmp, .ani or .cur file, and entice an attacker to visit his webpage. (b) Send an HTML email containing the malicious .ico, .bmp, .ani or .cur file. (c) Create a shared folder containing the malicious .ico, .bmp, .ani or .cur file, and entice a user to browse his shared folder. The technical details and exploit code have been publicly posted. Status: Microsoft not confirmed, no patches available. XP SP2 is reportedly not vulnerable. Council Site Actions: Due to holidays and the late-breaking nature of the issues, we were unable to solicit any council site responses. References: Posting by flashsky fangxing securityfocus.com Exploit Code xfocus.net LoadImage Function Reference msdn.microsoft.com SecurityFocus BID Not yet available. ******************************************************************* (3) MODERATE: Microsoft Windows Winhlp32.exe Buffer Overflows Affected: Windows NT/2000/XP/2003 Description: Winhlp32.exe application is responsible for handling Windows Help (".hlp") files. This application reportedly contains a heap-based buffer overflow and integer overflow vulnerability. A specially crafted ".hlp" file may exploit these flaws to execute arbitrary code on the client system with the privileges of the logged-on user. Note that Windows prompts a user before downloading and opening a ".hlp" file. Hence, to exploit the flaw via a hyperlink or frame pointing to the malicious .hlp file will require user interaction. However, it may also be possible to invoke Winhlp32.exe via the HTML Help ActiveX Control, and exploit the flaw without any user interaction (not confirmed). The technical details and proof-of-concept exploits have been publicly posted. Status: Microsoft not confirmed, no patches available. Users should not open .hlp files downloaded from untrusted sources. Council Site Actions: Due to holidays and the late-breaking nature of the issues, we were unable to solicit any council site responses. References: Posting by flashsky fangxing securityfocus.com PoC Exploits xfocus.net xfocus.net SecurityFocus BID Not yet available. *********************************************************************** (4) MODERATE: Internet Explorer DHTML Edit ActiveX Control Spoofing Affected: Internet Explorer version 6.0 and possibly prior Description: This Internet Explorer (IE) vulnerability allows an attacker to trick a victim into visiting a malicious site. The attack occurs when a victim clicks a link supplied by the attacker in an email or on a webpage, which according to IE's address bar points to a trusted site. However, the attacker can manipulate all the contents of the trusted site's webpage. Hence, any information entered by the user on such a page can be stolen by the attacker (phishing attacks). The problem occurs due to a flaw in IE's DHTML Edit ActiveX control. The control's "execScript" function does not sufficiently validate a window's domain prior to executing a script. The attacker can leverage the flaw in the execScript function to re-write the contents of a trusted site's webpage. Note that the attacker can also spoof the content for secure sites by exploiting this vulnerability as IE shows a "Lock" icon on the bottom right-hand corner on a spoofed webpage. Status: Microsoft not confirmed, no updates available. An option is to disable ActiveX controls. However, that may downgrade the users' web browsing experience. The users should be advised to type the web addresses of sensitive sites such as banks etc. and not to open links to secure sites embedded in another page or an email. Council Site Actions: All council sites are awaiting confirmation from the vendor and a patch. They plan to patch during the regular system update process. One site commented that they consider IE vulnerabilities a level 4 on a scale from 1 to 5 for servers and a level 5 on a workstation. Thus, this is not a priority to patch for them. Another site is still investigating replacing IE with Firefox as a long term strategy move. References: Posting by Paul freehost07.websamba.com PoC Code freehost07.websamba.com secunia.com DHTML ActiveX Control msdn.microsoft.com msdn.microsoft.com Secunia Advisory secunia.com SecurityFocus BIDs Not available yet.