[31772] in bugtraq
RE: AIM Password theft
daemon@ATHENA.MIT.EDU (Drew Copley)
Wed Sep 24 20:38:19 2003
From: "Drew Copley" <dcopley@eeye.com>
To: "'Brent Meshier'" <brent@meshier.com>, <bugtraq@lists.securityfocus.com>
Date: Wed, 24 Sep 2003 10:18:09 -0700
Message-ID: <011701c382bf$d368efe0$2b02a8c0@dcopley>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
In-Reply-To: <001201c38206$b7f50a50$0300a8c0@brent>
Content-Transfer-Encoding: 8bit
It is a zero day bug, one of two found in IE this past two weeks. It was
publically disclosed. Apparently, someone is using it. Which is not a
surprise.
Jelmer's Bug:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010013.html
A fix for this issue:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010042.html
Or, you can turn off Activex and Javascript... But, most people will not do
that, and you might as well kill this component anyway.
> -----Original Message-----
> From: Brent Meshier [mailto:brent@meshier.com]
> Sent: Tuesday, September 23, 2003 12:13 PM
> To: bugtraq@lists.securityfocus.com
> Subject: Re: AIM Password theft
>
>
> Mark,
> The code you just sent looks familiar to a SPAM I
> received attempting to hijack users' e-gold accounts. Out of
> curiosity I followed that link which loaded start.html
> (attached). What worries me is that I'm running IE
> 6.0.2800.1106 with all the latest patches from Microsoft and
> this page (start.html) rewrote wmplayer.exe on my local drive
> without notice. After closing the page, I found two .exe
> files on my desktop (which loaded from
> http://doz.linux162.onway.net/eg/1.exe).
> Is this a new
> unknown vulnerability?
>
> Brent Meshier
> Global Transport Logistics, Inc.
> http://www.gtlogistics.com/
> "Innovative Fulfillment Solutions"
>
> -----Original Message-----
> From: Mark Coleman [mailto:markc@uniontown.com]
> Sent: Tuesday, September 23, 2003 11:43 AM
> To: bugtraq@securityfocus.org
> Subject: [Fwd: Re: AIM Password theft]
>
> Hi, can anyone shed some light on this for me? If this is new, its
> going to spread like wildfire. AOL or incidents lists have yet to
> reply.... it appears to be a legitimate threat as I have at
> least one
> user "infected" already.. Thank you..
>
> -Mark Coleman
>
