Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

An unpatched IE exploit invokes a second older unpatched IE exploit

Published: 2004-04-10
Last Updated: 2004-04-11 02:23:20 UTC
by Kevin Hong (Version: 1)
0 comment(s)
An unpatched IE exploit invokes a second older unpatched IE exploit

It has been a quiet day. One of the handlers (Patrick Nolan) mentioned another unpatched IE exploit has a first part "incorrect handling of HTML files embedded in CHM files" that invokes a second older unpatched IE exploit (ADODB) to run code of attackers choice.

According to the Trunlow Trojan described in Symantec website (http://securityresponse.symantec.com/avcenter/venc/data/trojan.trunlow.html):

The first part of this exploit - "HTML component: This is a piece of html code that downloads and executes the VBScript component. This code may be added to pages on legitimate Web sites whose security has been compromised. Some versions use the exploit described in Bloodhound.Exploit.6."

The second part exploit ADODB stream object vulnerability to download and execute files.

"By embedding a specially crafted URL in a Web page and having that URL refer to a CHM file containing an HTML file with scripts in it, an attacker could force the user who views the Web page with a vulnerable version of Internet Explorer to download and execute files."

As usual, follow the best practices (patch IE, do not follow unsolicited links, update virus definition etc).

Keywords:
0 comment(s)
Diary Archives