Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Re: [security] What A Click! [Internet Explorer]

from [Stuart Dunkeld] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Re: [security] What A Click! [Internet Explorer]
Date: Fri, 27 Jan 2006 23:39:05 +0000 
On 27/01/06, yossarian <yossarian@planet.nl> wrote:


HTA runs applications from HTML documents. Like I mentioned, never broke
anything in my experience. And yes, I sometimes develop stuff on this old
windows box, including webstuff. HTA is a MS invention,  Firefox has
followed. But the main thing HTA has been, and IMHO will remain, is a
security flaw.



FUD. HTAs are scripts which run outside the context of Internet
Explorer's security model because they are hosted by mshta.exe.
Firefox has nothing to do with it.

Anyway, the fact that the payload of this PoC is an HTA is irrelevant:
the user is fooled into clicking the Run dialog by the Agent overlay,
and the payload could as eaily be any Windows executable. The
advantage of an HTA in this situation, of course, is that the paranoid
can inspect it to see exactly what it does: not so easily when a PoC
drops booom.exe into your c: drive and executes it.

You might be interested to know that Window's Add/Remove programs
dialog is itself an HTA - paste res://appwiz.cpl/default.hta into
IE6's address bar to see for yourself.


 Never had an active scripting host, and that had
also never had an adverse effect.


Scripting can be quite useful, in Windows just as any other OS.


'Everything web' includes worms, spyware and the like. Dunno, I prefer my
web a bit cleaner. Sandboxing is possible, just like anything web, by
running the browser in a citrix or terminal server box. They, being windows,
based might be compromised as well, so maybe a better idea is to run a java
based browser in a JVM and have it over with, use something like JREX or
Opera.  If corporate, you might prefer server side java.. Run the JVM on a
tomcat or websphere on nix or even use the old big iron, open a sandboxed
browser in a normal browser.....  et voila, a sandboxed browser. Some say
Tarantella might do the trick neatly, have not looked into that yet.



Why not just unplug your computer?

Regards

stuartd
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Re: Re: ZoneAlarm phones home, Ivan .
Next by Date:  Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included), Dude VanWinkle
Previous by Thread:  [Full-disclosure] Re: [security] What A Click! [Internet Explorer], yossarian
Next by Thread:  [Full-disclosure] Re: What A Click! [Internet Explorer], Robert Kim Wireless Internet Advisor
Indexes:  [Date] [Thread] [Top] [All Lists]