[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] ADODB.Stream object 

jelmer <jkuperus@planet.nl> to me:

<<snip explanation of 3rd-party app dragging HTML content across the
  "security zone barrier" unhindered>>
> I know this thought also crossed my mind,  I also recieved some mail born
> virusses wich used a similar scheme but one may argue that had the zip
> file contained a .vbs or .exe file, people would have openened it aswell.

Sure, but there have been a few other self-mailing viruses that have 
distributed themselves via .ZIP file attachments and the relative 
success of Mimail in particular seems in no small part attributable to 
the fact that "your average punter" is exceedingly unlikely to consider 
an HTML file to be "suspicious" _in any context_.

This observation of the expected -- "predictable" even -- failing of 
the human component in the "security chain" is what makes security 
vulnerabilities, such this latest one Jelmer has pointed out, much more 
dangerous than the typical "Mitigating factors" BS in MS Security 
Bulletins would have you believe.  For those who haven't already 
realized, nearly everything listed as "Mitigating factors" in MS 
Security Bulletins related to HTML parsing/security zone/etc flaws in 
IE/OE/OL are, in fact, simple pointers to easy things any half-clever 
black-hat can obviously use to exploit the stupidity of several hundred 
million "typical Windows users", and usually most or all of these 
approaches will already have been outrageously successful (with other 
similar vulnerabilities) in two, three or more existing self-mailing 
viruses.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html