PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : security@microsoft.com



Houser
02.04.2003, 22:07
Nun, ich habe die aktuellen "Dialereinfallstore" an security [at] microsoft.com gemailt.
Da der IE [leider] über 90% Marktdurchdingung hat und deshalb das bevorzugte Ziel der Dialermafia ist, müsste Microsoft reagieren, und wenigstens den Active X Wahnsinn abstellen. [hoffe ich mal so]
Nur der neue Aconti Dialer hat mich leider eines besseren belehert :( Der geht wohl gegen alle Browser vor - Rundumschlag - IE - Mozilla - Netscape - Opera ... und gegen sämtliche Provider - T-Offline, AOL usw.
Idee - wir müssen Microsoft auf die Methoden der Dialermafia hinweisen, zur Not auch via http://www.securityfocus.com
[bitte beachten - zuerst M$ kontaktieren, bevor ein Posting an Bugtraq rausgeht]

Martin S.
02.04.2003, 23:44
Dem räume sogar ich als sogenannter "Microsoftie" wenig Chancen ein.
Gruß,
Martin

--
One nation under one groove - Funkadelic 1978

Houser
06.04.2003, 13:47
Microsoft Security Response Center <secure [at] microsoft.com>
Thank you very much for your report. I will open an investigation with
our product team on this, and let you know what I hear back from them.
In the meantime, should you have any questions or concerns, please don`t
hesitate to let me know.
Sincerest Regards,
Terri

CONTACT INFORMATION
May we contact you about this report?
Yes
COMPUTER INFORMATION
Manufacturer and model of your computer:
barebone PCs
Have you installed any additional hardware on the system?:
Yes
Intel NIC Pro 100+

What operating system are you using?:
Windows NT, Windows 2000, Windows XP
Have you installed any operating system service packs?:
Yes
SP6a, Sp3, sp1
Have you installed any operating system security patches?:
Yes
all post SP patches
AFFECTED PRODUCT
What product are you reporting a security vulnerability in?
Product Name:
Windows NT, Windows 2000, Windows XP
VULNERABLITY INFORMATION
Please describe the flaw in the product:
IE and Active X Vulnerability via urls

Is the flaw present in the product in the default configuration?
DID: [ID filtered]
Please tell us how to duplicate the problem in our laboratory:
Contact Me for a Program.
Please describe how someone might mount an attack via the flaw:
We have encounterd seious problems with activeX dialers.
First it seems to be easy to install unwanted content via activex -
proof of
concept:
http://secure.aconti.net/?AID=139340&AppUID=136445
the second offending one is http://www.movieplugin.com/plugin/plugin.exe
this is not the main problem out there. Internet Explorer [IE] can be
unsecure if the program handle links like this:
http://girl020.tripod.com.br/index.txt?s...144F0C505D4C575 (http://girl020.tripod.com.br/index.txt?sid=1A00021229560F144F0C505D4C575)
4085C595F550A5D0D590A45594445005B44
the main problem it that txt is displayed and acting as html - please
fix
this issue as soon as possible.
and the last one from me today - look at the source from the link
mentioned
above, it again uses some IE related features - only IE can handle that
and
thus for me is a mayor security issue.

Please describe what the result of a successful attack would be:
unauthorized access to the system via the flaws of ie and active x
mentioned above
Please provide any additional information that might be helpful in
investigating this issue:
one of the main problem is that IE handles such URLs like
http://girl020.tripod.com.br/index.txt?
as HTML code which should be fixed as soon as possible, and i know about
deactivating active x scripting in the security options but this
disables some wanted website content ...

Houser
28.04.2003, 20:30
Thank you very much for your report. I hope to provide some additional
insight to you on the issues which you have listed below.

First issue:
http://secure.aconti.net/?AID=139340&AppUID=136445
That`s a page with an EXE on it. The surest way to be safe is not to run
the executable. The fact that the executable was able to be crafted into
the page is by design. Microsoft warns users against clicking on or
downloading content from un-trusted sites for this very reason.
The second issue:
http://www.movieplugin.com/plugin/plugin.exe
This is an executable as well, same as above- the answer is not to run
it.
The third issue:
http://girl020.tripod.com.br/index.txt?s...144F0C505D4C575 (http://girl020.tripod.com.br/index.txt?sid=1A00021229560F144F0C505D4C575)
4085C595F550A5D0D590A45594445005B44
I don`t know what this is really, just went to it for a sec and it
looked like something I didn`t want to be looking at so I closed the
browser. You commented that the "the main problem is that txt is
displayed and acting as html - please fix this issue as soon as
possible."
It sounds as though you may not be familiar with how IE determines how
to render content. When I had a difficult time understanding this
myself, I was directed to the following link and found it very helpful.
I hope you will find it useful as well.
http://msdn.microsoft.com/library/defaul...op/networking/m (http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/m)
oniker/overview/appendix_a.asp
Thank you very much for taking the time to submit your report. If you
have any additional questions or concerns, or feel that I have
overlooked some crucial information, please do not hesitate to let me
know.
Sincerest Regards,

Houser
28.04.2003, 21:01
Thank you for your answer but some problems still resist in here.
First how the IE handles Mime.
A new link: http://www.sexflatrate.biz/?sid=16204506...660651258733075 (http://www.sexflatrate.biz/?sid=1620450651046713660651258733075)
Be careful, it opens many popups with dialer downloads, sure you remind do
not install that .exe stuff, ok, that is not the problem here.
The problem insists still of the handling of this site with IE.
I tried some other browsers, Opera and Mozilla shows only stange character
like " pbzj " [Mozilla] or ";wcrmpt!jgfepned$3
!Merj^dshvv!5d{lbtlfj&g,x/upat" [Opera]
the interesting thing is if you look at the html source, i recommend
http://www.swishweb.com/dec.htm - try DePsyralizer and DePsyralizer for
that, only IE handles that source "right" - other browsers will fail
that is no "one vendor good, other bad thing" that is a security risk - just
look at the encrypted code, which seems to be special coded for IE users.
The second thing about IE is that there is a vulnerability in windows.
The folder "downloaded program files" in the %systemroot% path does not show
all installed programs in explorer view. Only the ms-dos console or special
tools give deep insight, and here we have the next problem, malware like
virii and dialers can resist here and even install with a simple "regsvr32"
command on a webpage (active x enabled).
The malware downloads itself as cab file and installs without user knowledge
or warning
Therefore i can only reccomend my users to deactivate Active Scripting
Third thing:
Some Malware is even digitally certified by Thawte Server CA Certification
Services Division server-certs [at] thawte.com
Some of these programs are calling themselves "Multimedia Update" with the
windows media player logo - this is not only a copyright theft this is
illegal, some updates via active x shows (fake) microsoft logos.
As Administrator i know what to do but as harmless user i would`t.
In my opinion the digital signs of drivers and the enforcement of security
in win xp is useless if every person can sign malware digitaly.

Greetings,