TITLE:
Special Update: Microsoft Internet Explorer Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA9580

VERIFY ADVISORY:
http://www.secunia.com/advisories/9580/

CRITICAL:
Extremely critical

IMPACT:
System access

WHERE:
From remote

REVISION:
3.0 originally posted 2003-08-20

SOFTWARE:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01

DESCRIPTION:
Microsoft has issued a cumulative patch for Internet Explorer, which
fixes multiple vulnerabilities. The worst vulnerability can lead to
execution of arbitrary code on the client system via HTML emails or
web sites.

1) A cross domain vulnerability exists in the way Internet Explorer
retrieves files from the cache. This can be exploited by a malicious
HTML document to execute arbitrary scripting in the "My Computer
Zone".


2) Internet Explorer determines whether an object is safe when it
interprets the file extension specified in the "Object Data" tag.
This allows a malicious person to specify a "safe" file with eg. a
".html" extension in "Object Data", which causes Internet Explorer to
interpret it as a "safe" file. However, when the file is retrieved by
Internet Explorer the "Content-Type" header determines how the file
will be treated. This allows an executable file like a ".hta" file to
be treated as a "safe" file and be executed silently without
restrictions.

NOTE: Further information has been released by http-equiv, proving
that the patch from Microsoft is not adequate. Please refer to
solution section.

Secunia has constructed a vulnerability test, which can be used to
check if you are affected by this issue:
http://www.secunia.com/MS03-032/


3) The Kill Bit will be set on the Windows Reporting Tool ActiveX
control "BR549.DLL". This ActiveX control contains a vulnerability
which could be exploited by malicious HTML documents to execute
arbitrary code.

Furthermore, a language specific variant of the older object type tag
buffer overflow vulnerability (MS03-020) has been identified and is
fixed in this patch.

This update also fixes other minor issues.

The "Object Data" vulnerability is straight forward to exploit. In
many ways this vulnerability is similar to MS01-020 which was
exploited by notorious viruses like Nimda, Badtrans and Klez.


NOTE: Secunia has discovered exploitation of the "Object Data"
vulnerability in the wild. Analysis shows that the exploit installs a
program called ADPlus module or SurferBar, which is added to a users
Internet Explorer and contains links to various porn sites. The
exploit does the following:

1) User receives an email, which exploits the "Object Data"
vulnerability.
2) The resource "a.cgi" is automatically requested from a webserver
(63.246.130.201), which installs the file "drg.exe" in "C:\".
3) The file is then executed and saves the resource "surferbar.dll"
from the same webserver as "win32.dll" (originally named
"adplus.dll") in the "C:\\Program Files\" directory.
4) The file "win32.dll" is then executed by "regsvr32" and adds a bar
to the user's Internet Explorer.

SOLUTION:
Deactivate Active Scripting in Internet Explorer, until a patch
becomes available which fixes the new variant of the "Object Data"
vulnerability.


NOTE: The patch below does not fix the variant of the "Object Data"
vulnerability discovered by http-equiv.

The patch is available from:
http://windowsupdate.microsoft.com/
or
http://www.microsoft.com/windows/ie/downlo...925/default.asp (http://www.microsoft.com/windows/ie/downloads/critical/822925/default.asp)

REPORTED BY / CREDITS:
1) Yu-Arai, LAC
2) Drew Copley, eEye Digital Security
3) Greg Jones, KPMG UK

http-equiv has supplied additional information about exploitation of
the "Object Data" vulnerability.

CHANGELOG:
2003-08-21: Updated critical rating and description due to detailed
information from eEye.
2003-08-22: Included link to Secunia vulnerability test.
2003-09-03: Secunia has discovered exploitation of the "Object Data"
vulnerability in the wild.
2003-09-07: Patch for the "Object Data" vulnerability has been proven
inadequate by http-equiv.

ORIGINAL ADVISORY:
http://www.microsoft.com/technet/security/...in/MS03-032.asp (http://www.microsoft.com/technet/security/bulletin/MS03-032.asp)
http://www.eeye.com/html/Research/Advisori...AD20030820.html (http://www.eeye.com/html/Research/Advisories/AD20030820.html)

[COLOR=blue]Thanks for the warning LeRoi. I am downloading the patch as I type (hunt & peck} this. I also started a subscription to the Secunia.com news letter incase any more of these pop up. I am already signed up for Microsoft bulletins, but have yet to receive any.

I have been using Mozilla for most of my browsing ever since I joined WorldStart and My PC Clinic. A lot of people seem to like it, so I decided to give it a try. Now unless I run into a page that doesn't seem to load right, that is about the only time I switch back to IE 6.0

LeRoi,

I just used that link for the test of this thing at secunia.com
Right after I started the test my McAfee AV popped up with all sorts of warnings about a virus ect, and recommended I scan my system.
This scared me to death :unsure: can you please explain what I SHOULD see happening with this test and what should I do about the McAfee popup warnings??
Should I diable McAfee during this test?? Should I disable my popup stopper & firewall?
I have been having some 'problems' lately and would like to run this test...my computer freezes up once or twice a day while I am using it....
please help!!! :blush:
Thanks.
OH...also...since you seem to know all about the Microsoft updates... I have been getting the same update notice from them everyday... it's for the Security Update for Windows media Player 7.1... update #817787
I have 2 or 3 of them, the same one, in my update history...why does MS keep sending me that same update??
Thanks again :wacko: :blush: :wacko:

Hi Joanied,

I haven't tried the test at Securia, I assume that what you are seeing in the A/V alerts is scripts trying to run. It might be best to disable your antivirus while running the test, but I assume that you are vulnerable if scripts are attempting to run, but McAfee is stopping them while they are attempting to run. The best thing you can do is to disable active scripting on the security tab of internet options>custom level, but this will limit functionality of many websites, including Windows Update (it won't work without activeX at least set to prompt). I use a browser for almost everything that can't run activeX at all (Mozilla) and I think it is much safer to use than IE.

That said, I am no fan of McAfee. I think it is one of the worst programs that a person can install on their pc. When I had an old version of the antivirus installed (came with my pc) I had nothing but freezes and other types of problems. I thought my pc was defective, it was that bad. I uninstalled McAfee and installed Norton antivirus and it acted like a totally different and much better machine, practically no freezes etc. After I learned what parts of Norton System Works didn't need to run in the background and disabled them, freezes/lockups stopped entirely, not entirely but they became an extremely rare occurance. I can't remember the last time it happened, several months ago at least.

The update that M$ wants you to download will update WMP7.1 to WMP9. I use 7.1, but I do not allow it to access the internet. If you install WMP9, there is no way to uninstall it without reinstalling Windows. I do not recommend your "upgrading" to WMP9, but I also recommend you to not let 7.1 access the internet, there are vulnerabilities that are quite serious, but I don't remember exactly what they are off the top of my head.

I think you can do better than McAfee using a free firewall and a different antivirus program, there are many very good free firewalls available for download. I use Kerio v2.1.5 which is free for noncommercial personal use, but this is just one of many good free firewalls. McAfee can be very hard to uninstall. I was lucky with my older version because it cleaned up fairly well after itself, then Regcleaner was able to get rid of most of the rest of it after I deleted the Network Associates folder and other Mcafee associated files. I just recently found another registry entry having to do with Mcafee in my registry which I deleted manually.

AVG makes a free antivirus, but I have never used it. Many people do though and most are very happy with it. It is not very good at finding trojans, but you can do online scans for them.

Hi LeRoi,
Geeze, I didn't see this reply you posted, and in my reply to you about the MemTurbo I asked about this media Player update...sorry 'bout that :blush:
I am so #@**%#@ confused now... :wacko: I downloaded that MP7.1 #817787 update already...in fact, I have 2 or 3 downloads of the same @@&%%*# update.... Have I MESSED UP??? :doh:
What should I do about that update???
As for mcAfee...well, hell, I have it paid for....I can't afford to let it go...or SHOULD I let it go?? see, I just don't know what the heck to do here :wacko:
HELP!!!
PS... I think I may try that test at securia again with mcAfee and my PopupStopper disabled...see what happens. I did a stealth test and I am fully in stealth mode (whew!!) :thRt: