[Esa-l] Microsoft Security Bulletin MS01-020
John D. Hardin
jhardin at wolfenet.com
Sat Mar 31 11:18:52 PST 2001
On Fri, 30 Mar 2001, Microsoft Product Security wrote:
> However, a flaw exists in the type of processing that is specified
> for certain unusual MIME types. If an attacker created an HTML
> e-mail containing an executable attachment, then modified the MIME
> header information to specify that the attachment was one of the
> unusual MIME types that IE handles incorrectly, IE would launch
> the attachment automatically when it rendered the e-mail.
I've taken a look at the sample exploit, and basically it consists of
giving an attachment with a *.VBS filename a MIME type of
AUDIO/MS-whatever (and other similar combinations). Apparently IE5
uses the attachment name to figure out how to handle the attachment
(which is understandable on Microsoft OSes from a historical
perspective) and uses the MIME type only for icons or something else.
The sanitizer will trap these attacks successfully as it keys off the
attachment names and not the MIME type.
I do not at this time recommend poisoning *.EML attachments.
--
John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/
jhardin at wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute an
emergency on my part.
- David W. Barts in a.s.r
<davidb at ce.washington.edu>
-----------------------------------------------------------------------
Tomorrow: Daylight Savings Time begins
More information about the esd-l
mailing list