New security exploit combination, I think 
Author Message
 New security exploit combination, I think

Yesterday, a coworker's computer (running NT 4.0 SP1) was
hit by a search-page replacement JS exploit, but this was
much more invasive than the norm.  I counted about twenty
iterations of the alternate page in the registry, and the
author of the exploit seems to have discovered a way to
change the Internet Options control panel applet
substantially.  The Security and Advanced tabs have been
removed entirely and the Home page option in the General
tab is greyed out.  Has anyone encountered this, and does
anyone have a solution?

P.S.  McAfee caught at least one of the trojans in
execution, JS/NoClose, though it just functioned to hold
open the browser while the security zone was set low and
other registry changes were made.

[Previously posted on microsoft.public ... ie55.browser]



Tue, 28 Jun 2005 12:54:38 GMT  
 New security exploit combination, I think
FWIW, there's a new security patch for NT4 referencing KB 810847 which does
not yet exist in public.

Posts in security have it applying to ie55sp2 and ie6sp1, but it doesn't
come up for Windows 2000--it appears to be NT4 specific.


Quote:
> Yesterday, a coworker's computer (running NT 4.0 SP1) was
> hit by a search-page replacement JS exploit, but this was
> much more invasive than the norm.  I counted about twenty
> iterations of the alternate page in the registry, and the
> author of the exploit seems to have discovered a way to
> change the Internet Options control panel applet
> substantially.  The Security and Advanced tabs have been
> removed entirely and the Home page option in the General
> tab is greyed out.  Has anyone encountered this, and does
> anyone have a solution?

> P.S.  McAfee caught at least one of the trojans in
> execution, JS/NoClose, though it just functioned to hold
> open the browser while the security zone was set low and
> other registry changes were made.

> [Previously posted on microsoft.public ... ie55.browser]



Tue, 28 Jun 2005 13:51:14 GMT  
 New security exploit combination, I think

Quote:
>-----Original Message-----
>FWIW, there's a new security patch for NT4 referencing KB
>810847 which does not yet exist in public.

Yep, I found it suspicious (and maddening).  I did find a
fix for the greyed-out Home page option
(HKCU|Software|Policies|Microsoft|Internet
Explorer|Control Panel, then delete the "Home" key), but I
won't be able to test it until tomorrow.

Quote:
>Posts in security have it applying to ie55sp2

Yeah, this was 55sp2.  Interesting that 6 was affected
too...

Quote:
>it doesn't come up for Windows 2000

And none of the home OS versions have patches, either.

Thanks for the response; I'm glad I'm not alone in
suspecting a connection.



Tue, 28 Jun 2005 14:01:38 GMT  
 New security exploit combination, I think

Quote:
>Yep, I found it suspicious (and maddening).  I did find a
>fix for the greyed-out Home page option
>(HKCU|Software|Policies|Microsoft|Internet
>Explorer|Control Panel, then delete the "Home" key), but
I
>won't be able to test it until tomorrow.

Solution: just delete the "Control Panel" key or all of
the data in it.  The entries created
are "AdvancedTab", "Home", and "SecurityTab".


Wed, 29 Jun 2005 04:01:35 GMT  
 New security exploit combination, I think
I still have no idea what that patch is all about.

Looking at WindowsUpdate history, it claims to be:

810847: January 2003, Cumulative Patch for Internet Explorer 6 Service Pack
1 - version 6,0,2800,1141 - was successfully installed.
12:16:42 AM Friday, January 10, 2003 : 5912

But there's still nothing in the KB, nor the MS or Shavlik XML files
relating to this.


Quote:

> >Yep, I found it suspicious (and maddening).  I did find a
> >fix for the greyed-out Home page option
> >(HKCU|Software|Policies|Microsoft|Internet
> >Explorer|Control Panel, then delete the "Home" key), but
> I
> >won't be able to test it until tomorrow.

> Solution: just delete the "Control Panel" key or all of
> the data in it.  The entries created
> are "AdvancedTab", "Home", and "SecurityTab".



Fri, 01 Jul 2005 09:50:44 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. Exploit for a security hole in the pickle module for Python versions <= 2.1.x

2. PSS Security Alert - JS/Exploit-Messenger

3. What language do you think is a good combination between OOP and FP

4. New to Python - Want code review of simple combination routine

5. Announcing new security logic updates to gReg.

6. New Security Alert from Microsoft

7. New Security Tool: HostSentry 0.02 Alpha

8. ? - new security features of Communicator 4.6

9. Newest Internet Security Pack

10. Newest Security Patch

11. New security "feature" in Tk 3.3

12. PSS Moderate Security Alert - New Worm: W32.Fizzer.A@mm

 

 
Powered by phpBB® Forum Software