[Am-info] Windows in trouble for any html use!

Tue, 13 Jul 2004 10:21:35 -0400

This is a multi-part message in MIME format.
--------------050305080404050108060302
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

The U.S. Department of Homeland Security has notified the world
to stop using the Web browser, and in fact generally stop using
Windows to view any HTML documents.

Hopefully, if you use Microsoft Internet Explorer or Microsoft
Outlook, you know about this problem and have taken steps to
guard your computer.  If not, it is time to panic and read this
now.

If you are lucky (or wise) enough NOT to use the above, this
report is fascinating and worth taking time to read carefully.

See: http://www.kb.cert.org/vuls/id/713878

This warning is by US-CERT, the United States Computer Emergency
Readiness Team, part of the U.S. Department of Homeland
Security.

I'll attempt a short description:

   By convincing a victim to view an HTML document (web page,
   HTML email), an attacker could execute script in a different
   security domain than the one containing the attacker's
   document. By causing script to be run in the Local Machine
   Zone, the attacker could execute arbitrary code with the
   privileges of the user running IE.

   By redirecting to a local resource, controlling the timing of
   the redirect, and setting the frame's location to a
   javascript: protocol URI, an attacker can execute script in
   the security context of the Local Machine Zone.

   Functional exploit code is publicly available, and there are
   reports of incidents involving this vulnerability.

   Any program that hosts the WebBrowser ActiveX control or used
   the IE HTML rendering engine (MSHTML) may be affected by this
   vulnerability.

Seems to me, then, run any of the many Windows-based applications
that make use of the IE HTML rendering engine and you're running
down the street with no pants on.  That includes HTML emails.

So, the answer is to follow no hot-links and view no email unless
you are sure of the source.

Hey, the AM-INFO list should be safe because we use ASCII.

Are you sure this email does not contain HTML?

I again invite you to visit: http://www.kb.cert.org/vuls/id/713878

But, if you visited the above site, are you SURE that site is not a
fake and your computer may have been compromised. 

Are you sure this email was sent by Gene Gaines?

Are you sure one of the HTML emails you read this week was not an
exploit?

I'm glad I use Mozilla and The Bat!

/Gene Gaines
gene.gaines@gainesgroup.com
Sterling, Virginia/

--------------050305080404050108060302
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
 <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
 <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
<tt>The U.S. Department of Homeland Security has notified the world 
to stop using the Web browser, and in fact generally stop using 
Windows to view any HTML documents. 
 
Hopefully, if you use Microsoft Internet Explorer or Microsoft 
Outlook, you know about this problem and have taken steps to 
guard your computer.&nbsp; If not, it is time to panic and read this 
now. 
 
If you are lucky (or wise) enough NOT to use the above, this 
report is fascinating and worth taking time to read carefully. 
 
See: <a class="moz-txt-link-freetext"
 href="http://www.kb.cert.org/vuls/id/713878">http://www.kb.cert.org/vuls/id/713878</a> 
 
This warning is by US-CERT, the United States Computer Emergency 
Readiness Team, part of the U.S. Department of Homeland 
Security. 
 
I'll attempt a short description: 
 
&nbsp;&nbsp; By convincing a victim to view an HTML document (web page, 
&nbsp;&nbsp; HTML email), an attacker could execute script in a different 
&nbsp;&nbsp; security domain than the one containing the attacker's 
&nbsp;&nbsp; document. By causing script to be run in the Local Machine 
&nbsp;&nbsp; Zone, the attacker could execute arbitrary code with the 
&nbsp;&nbsp; privileges of the user running IE. 
 
&nbsp;&nbsp; By redirecting to a local resource, controlling the timing of 
&nbsp;&nbsp; the redirect, and setting the frame's location to a 
&nbsp;&nbsp; javascript: protocol URI, an attacker can execute script in 
&nbsp;&nbsp; the security context of the Local Machine Zone. 
 
&nbsp;&nbsp; Functional exploit code is publicly available, and there are 
&nbsp;&nbsp; reports of incidents involving this vulnerability. 
 
&nbsp;&nbsp; Any program that hosts the WebBrowser ActiveX control or used 
&nbsp;&nbsp; the IE HTML rendering engine (MSHTML) may be affected by this 
&nbsp;&nbsp; vulnerability. 
 
Seems to me, then, run any of the many Windows-based applications 
that make use of the IE HTML rendering engine and you're running 
down the street with no pants on.&nbsp; That includes HTML emails. 
 
So, the answer is to follow no hot-links and view no email unless 
you are sure of the source. 
 
</tt><tt>Hey, the AM-INFO list should be safe because we use ASCII.</tt> 
<tt> 
Are you sure this email does not contain HTML? 
 
I again invite you to visit: <a class="moz-txt-link-freetext"
 href="http://www.kb.cert.org/vuls/id/713878">http://www.kb.cert.org/vuls/id/713878</a> 
 
But, if you visited the above site, are you SURE that site is not a 
fake and your computer may have been compromised.&nbsp; 
 
Are you sure this email was sent by Gene Gaines? 
 
Are you sure one of the HTML emails you read this week was not an 
exploit? 
 
I'm glad I use Mozilla and The Bat! 
 
</tt>Gene Gaines 
<a class="moz-txt-link-abbreviated"
 href="mailto:gene.gaines@gainesgroup.com">gene.gaines@gainesgroup.com</a> 
Sterling, Virginia
</body>
</html>

--------------050305080404050108060302--