1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: MS IE EXE in IMG Code Execution

Web Attack: MS IE EXE in IMG Code Execution

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects the use of the Shell:startup function that is being hosted by a compromised web server.

Additional Information

Microsoft Internet Explorer is reported prone to a vulnerability that may allow unauthorized installation of malicious executables. Proof-of-concepts have been released to demonstrate a vulnerability that may be exploited to entice a victim user to install a file on a victim's computer with some degree of user interaction.

Specifically, an executable may be embedded in a Web page and presented as an image object to the user. Another frame can be loaded that references a folder on the victim's file system via the anchorClick style behavior. The page will be obfuscated in such a way as to disguise the fact that when the user clicks on the image object it will implicitly drag it to the folder that has been specified.

It has been demonstrated that various other measures may be taken to limit the amount of user interaction required but the exploit hinges on the user interacting via mouse events with an object within the Web page that represents an executable to cause the executable to be moved to the folder that has been loaded in the obfuscated secondary frame.

An attacker may exploit this vulnerability to influence a target victim into unknowingly installing software in a location on the computer such as the startup foler. If the malicious executable is placed in the startup folder, it will run when the system is restarted.

Affected

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya Modular Messaging (MSS) 1.1, 2.0
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Internet Explorer 5.0.1, 5.0.1 SP1, 5.0.1 SP2, 5.0.1 SP3, 5.0.1 SP4, 5.5, 5.5 SP1, 5.5 SP2, 6.0, 6.0 SP1, 6.0 SP2
  • Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP Home SP1, SP2
  • Microsoft Windows XP Media Center Edition SP1, SP2
  • Microsoft Windows XP Professional SP1, SP2
  • Microsoft Windows XP Tablet PC Edition SP1, SP2
  • Nortel Networks IP softphone 2050
  • Nortel Networks Mobile Voice Client 2050
  • Nortel Networks Optivity Telephony Manager (OTM)
  • Nortel Networks Symposium Web Center Portal (SWCP)
  • Nortel Networks Symposium Web Client

Response

Microsoft has released a cumulative update for supported versions of Internet Explorer to address this and other vulnerabilities.

Additional Mitigation
Do not accept communications that originate from unknown or untrusted sources.

Attacks may occur through email. Users should avoid accepting or opening email that appears suspicious or originates from an unfamiliar source. As an additional security measure, client support for HTML email should be disabled.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube