Micro$oft savu nabagu IE nav pilnībā salāpījis

Tiem, kas uzlika šo te Jauns ielāps priekš Internet Explorer 5.5 un 6.0 var īpaši nepriecāties, jo ielāps ir tikai daļējs. Micro$oft kā vienmēr ir atstājis vienu caurumu, lai dzīve neliktos tik salda. Sīkāk var palasīt pievienotajā izrāvumā no emaila.

She and her beta team forgot about *the* most important Content-Type:

Clearly what this so-called “patch” does is convert all embedded file types in MHTML documents viewed in patched Internet Explorer 6 into *.TMP files.
Previously all file types and file names were retained and if accepted would run.

What that means is when prompted for ‘opening or saving’, [screen shot: http://www.malware.com/dumbload.jpg 14KB], if your hand should slip or if you do not know any better and select ‘open’, because the file extension is *.TMP, you will be asked ‘what do you want to open the file with’ (screen shot: http://www.malware.com/sesame.jpg 20KB) which does indeed kill any accidental or running of the file.

Working example:

[open in IE6 “patched”]

http://www.malware.com/badman.zip 11KB

Before the patch and under an MTHML file situated on the web site and viewed with Internet Explorer 6, you would be in a position to manipulate the file extension and download box as displayed here:
[screen shot: http://www.malware.com/ohno.jpg 27KB]

Now with the so-called “patch”, regardless of the filename=”malware.exe” or the Content-Type: image/gif; combination, everything is effectively converted to a *.TMP file in the Temporary Internet File. Attempting to open
the *.TMP, depending on what it is will either bring up the ‘what do you want to open the file with’ box, or display the file as plain text.

Dangerous files such as *.exe or *.scr or *.bat simply will not run if you elect to run the file through the Internet Explorer 6 patched browser.
Sounds good.

Unfortunately, while she did a fairly reasonable job on this so-called “patch” she forgot one of the most important content-types. Her very own invention. The one and only:

Content-Type: application/hta;

We are still able to invoke a download, that if accepted will execute our malware on the target computer, through the “patched” Internet Explorer 6.

This newly found creation of download file conversion through MHTML to generic *.TMP file name on the download box coupled with the ‘supposed’ security of this so-called “patch” will most definitely yield plenty of quick prey:

Working Example:

[self explanatory includes harmless *.exe, open in IE6 “patched”]

http://www.malware.com/dumbload.zip 4KB


1. We note that this patch has zero effect on Outlook Express 6 and the ability to “spoof” file names [see: http://www.securityfocus.com/bid/3271].
Coming up 17 months and counting now.
2. Workhorse: Windows 98 and Internet Explorer 6.0.2600 and this so-called “patch”.
3. Seasons Greetings to Everyone. Yeah you too, incompetent slobs.

End Call


3 komentāri par “Micro$oft savu nabagu IE nav pilnībā salāpījis

Ieraksti komentāru

Tava e-pasta adrese netiks publicēta.