Any application that hosts the WebBrowser control (5.5+) is affected since this exploit does not require Active Scripting or ActiveX. Some of these applications are:

-Microsoft Internet Explorer
-Microsoft Outlook
-Microsoft Outlook Express

http://security.greymagic.com/adv/gm001-ie/

[hr]
Of particular interest, while running Proxomitron nothing was executed on the test pages via the supplied link above. *

I saw that the security "test" page at Greymagic on the
IE exploit, has been ammended as follows:

-{ Quote: "
"Update - 3 Mar 2002

Since the injected <object> runs in the "My Computer"
Zone changing the Internet Zone's settings didn't
affect it, but changing the correct zone's settings
will prevent this exploit from running.
Here is the registry information:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0]
Change the value of "1004" (DWORD) to 0x3."
[END QUOTE]
-------------------------------

I have done this edit on my WIN98 IE 6.0 OS (made a reg.bak first) and so far, have the following to share:

(ON Greymagic test page) When running the second
option demo "advanced" (I entered win98 path for
calculator), a windows dialog box now pops up:

-------------------------------
SECURITY WARNING:
Do you want to install and run
"file://C:\windows\calc.exe"?

Authenticode signature not found.
--------------------------------

ALSO, this has come to my attention, a result of having played with the Greymagic demonstration...

-{ Quote: "
"New Ad-Aware spyware detection,
registry entry source:

http://security.greymagic.com/adv/gm001-ie/

Under "Demonstration", the advanced option
(http://security.greymagic.com/adv/gm001-ie/advbind.asp)

* This test allows the user to insert his own path in the command line.

10:45 greymagic site, ran (opened) both Calc.exe and Sol.exe.
Going back to reg and look.........
It was back. *Deleted again (this time Download Information "CODEBASE" value was *"file://C:\windows\sol.exe". * Confirmed that the value of " CODEBASE" will be the last item which you ran from the GreyMagic command line, solitare, notebook, calculator, etc.

Note: *Running this test also created an activeX object in IE, named "{11111111-1111-1111-1111-111111111111}".

Both the activeX object and the registry entry, are safely removed by Ad-Aware."[END QUOTE]

8)

I presume Proxomitron could handle this with ease...?

What I find interesting is on my Windows XP system, when I change that registry entry, I do not get a box prompting anything - I simply get a message saying "your current security settings prevent running ActiveX controls of this nature"...

Is this some "feature" specific to Windows XP?

An interesting thread about the topic is going on at DSLR:
http://www.dslreports.com/forum/remark,2627979~root=security,1~mode=flat

And here you can also read about it:
http://edensoft.com/exploit.html

Found that last link, hadn't found the other - thanks.

On a side note I find it amusing that Microsoft is saying that if they are forced to remove IE from Windows, they will pull Windows XP and 2000 off the market, and not develop new versions (on dslreports.com)

But still, I think the extra code time to make IE removable from Windows could be VERY useful to removing SYSTEM vulnerabilities like these - but wouldn't that also remove a Microsoft monopoly? Oops...oh well...

-{ Quote: "I presume Proxomitron could handle this with ease...?" }-

On the dslreports.com link that was provided by FanJ, it IS stated that Proxomitron blocks this with one of its filters.

(On another side note, check out my posting here: http://www.security-pro.co.uk/yabb/YaBB.pl?board=osif;action=display;num=1015289148 about how a Java applet can redirect browser traffic and steal personal data (in some ways) when you are using any type of proxy (Microsoft Bulleting MS02-03...a patch is provided).

-{ Quote: "

On the dslreports.com link that was provided by FanJ, it IS stated that Proxomitron blocks this with one of its filters.

" }-

Yep,
ZX also wrote that in the first posting at this thread *:)

Proxomitron.. what an easter basket.

-{ Quote: "Proxomitron.. what an easter basket." }-
Zhen-Xjell, have you got a 25-words or less guide to installing your ZX list into Proxomitron?

Merci. *(I've gone hard-of-thinking today.)

PS hope all's well with your grandfather.

Thanks Checkout.

Unzip zx.zip into proxo root directory. *Configure you browser to use it "localhost" port "8080" in HTTP. Enable HTTP 1 over proxy connections. *Start Proxo!

(25 words exact)

-{ Quote: "Thanks Checkout.

Unzip zx.zip into proxo root directory. *Configure you browser to use it "localhost" port "8080" in HTTP. Enable HTTP 1 over proxy connections. *Start Proxo!

(25 words exact)" }-
Thank you. *(Two wor...oh hell, I blew it!)