In-Depth

In Brief

Antivirus and browser vulnerabilities, unsubscribe may be unwise

• By Mathew Schwartz
• 10/27/2004

Antivirus May Fail to See Some Zip Files

Many antivirus engines are vulnerable to a zip-file sneak attack, reports security intelligence company iDefence. Products from such vendors as Computer Associates, Kaspersky Labs, McAfee, and Sophos are reportedly affected.

The scanners are defeated by changing header information in the zip file—there’s both a local and a global header—to say the actual size of one or more compressed files in the zip is zero bytes. The scanner then skips the zero-byte files, believing them too small to contain attack code. Yet the zip files can still be unzipped without problem. Thus the potential attack vector: malware, compressed in a zip file with phony header information, could be e-mailed through a company’s defenses.

Kaspersky Labs, which confirms the vulnerability exists in its products, says its next weekly update will patch the problem. In addition, notes Eugene Kaspersky, the head of antivirus research for Kaspersky Labs, “although it does theoretically represent a security risk, we haven’t detected any attempts to exploit this vulnerability.”

- - -

Bevy of Browser Vulnerabilities, Including IE

A number of browser vulnerabilities were recently disclosed. The problems range from insufficient validation of drag-and-drop events, to spoofed dialog boxes, to the ability of inactive tabs in tabbed browsers to exert control over active tabs.

Microsoft’s Internet Explorer (IE) 6 has two vulnerabilities, both of which Secunia labels “highly critical,” noting they can be “exploited by malicious people to compromise a user’s system, link to local resources, and [one can] bypass a security feature in Microsoft Windows XP SP2.”

The first vulnerability concerns the drag-and-drop feature; IE doesn’t properly validate such events, allowing items to be dragged from the “Internet” zone to the “local” zone. This could be exploited, for example, “by a malicious Web site to plant arbitrary HTML documents on a user’s system,” says Secunia. These files might then run scripts. Note, however, this doesn’t affect Microsoft Windows XP SP2, since SP2 prohibits Active Scripting in the “local” zone.

The second vulnerability, a security zone restriction error, does affect SP2, and can bypass the SP2’s “local” zone lockdown. The vulnerability allows a malicious Web site to access—and execute—HTML documents in the local zone by making reference to a special index file with a .hhk extension. This attack, used in combination with another vulnerability, in which the ActiveX Data Object model allows writing of files to a target computer, could compromise a PC.

Secunia recommends users “disable Active Scripting or use another product.”

Link for disabling Active Content in IE:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036

Mozilla, Netscape, Opera, Safari Vulnerabilities

Secunia says multiple browsers have a vulnerability that would allow an attacker to spoof dialog boxes. The error results from inactive windows being able to launch dialog boxes that appear to be from the active window. Secunia rates these vulnerabilities from “moderately critical” to “less critical.”

The affected browsers are Mozilla’s Camino, Firefox, and Mozilla (confirmed on Mozilla 1.7.2 and 1.7.3, and Firefox 0.10.1); AOL’s Netscape 7, Opera versions 6 and 7 (only confirmed on Opera 7.54), and Apple’s Safari.

The Mozilla and Netscape browsers have a second vulnerability, which could allow inactive tabs to siphon information from form fields being filled out in the active tab.

The solution for negating the spoofed-dialog-box and form-information-siphoning vulnerabilities, says Secunia, is to not “visit trusted Web sites while visiting untrusted Web sites, or disable JavaScript.”

- - -

Unwise to Unsubscribe

Even after Can-Spam passed into law on January 1, 2004, bothering to click an “unsubscribe” link at the bottom of most spam e-mails was a questionable proposition. Most unsubscribe links were dead, lead to fake addresses, or just registered the proactive clicker’s real (live) address for future junk e-mail bombardment.

According to MessageLabs, however, now there’s another reason to avoid unsubscribing from spam. A new attack launches Trojan code when a user clicks an unsubscribe link at the bottom of an e-mail. The Trojan code itself is downloaded and held at the ready if users move their mouse into the browser’s scroll bar area, via an Internet Explorer vulnerability involving scripting and drag-and-drop.

MessageLabs says the Trojan appears designed to allow remote control of the infected PC, possibly for use in a distributed zombie network, able to launch large amounts of spam by using the PC as an open proxy, or for launching denial-of-service attacks. New variations are also appearing, with one installing a keystroke logger.

The attacks are not widespread, says MessageLabs—perhaps reflecting people’s predisposition to not bother unsubscribing from spam. In any case, here’s another incentive.

Related Article:

Patch or Perish: Symantec Notes Dramatic Increase in Threats
http://www.esj.com/Security/article.aspx?EditorialsID=1136