Interception of web content by AV software (was Re: VML Patch forWin9x?)

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Piggott wrote:


Oops, you're correct, thank you for clearing that up.

Thanks Gary and Adam. BTW, Adam why does your messages include all the
extra stuff?

The extra stuff is a digital signature, so that anyone using an
OpenPGP-compliant email program[1] can verify that I was the poster and
that the message hasn't been tampered with since sending.

I do this as I post on behalf of my business and consider it good practise
to do so. And to pre-empt anyone who is tempted, I've discussed why some
consider it pointless or wasteful to do so, and won't do so further

[1]I use Thunderbird with the Enigmail plug-in and GnuPG.


Cheers,

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImtx7uRVdtPsXDkRAi2iAJ0SVfxoPvrz5Mi05m7Aev9aU6oK3wCglIz+
7G/KYeLX+ctbbn3CHgmUSA4=
=+ht1
-----END PGP SIGNATURE-----

 

[98 Guy]

BTW, Adam why does your messages include all the
extra stuff?

The extra stuff is a digital signature, so that anyone using an
OpenPGP-compliant email program[1] can verify that I was the
poster and that the message hasn't been tampered with since
sending.

Do you think the PGP signature accomplishes anything for your usenet
posts other than cluttering up the post?

 

[98 Guy]

BTW, Adam why does your messages include all the
extra stuff?

The extra stuff is a digital signature, so that anyone using an
OpenPGP-compliant email program[1] can verify that I was the
poster and that the message hasn't been tampered with since
sending.

Do you think the PGP signature accomplishes anything for your usenet
posts other than cluttering up the post?

 

[James Egan]

Do you think the PGP signature accomplishes anything for your usenet
posts other than cluttering up the post?

I can remember someone giving Laura some flak a while back until he
checked that it wasn't an authentic post. That was closely followed by
an apology. It can be useful on rare occasions but most people
couldn't be bothered.


Jim.

 

[James Egan]

Do you think the PGP signature accomplishes anything for your usenet
posts other than cluttering up the post?

I can remember someone giving Laura some flak a while back until he
checked that it wasn't an authentic post. That was closely followed by
an apology. It can be useful on rare occasions but most people
couldn't be bothered.


Jim.

 

[98 Guy]

I can remember someone giving Laura some flak a while back
until he checked that it wasn't an authentic post. That was
closely followed by an apology. It can be useful on rare
occasions but most people couldn't be bothered.

Even in that case, the headers would be easier to consult to determine
if a forging took place.

And it's still clutter.

 

[98 Guy]

I can remember someone giving Laura some flak a while back
until he checked that it wasn't an authentic post. That was
closely followed by an apology. It can be useful on rare
occasions but most people couldn't be bothered.

Even in that case, the headers would be easier to consult to determine
if a forging took place.

And it's still clutter.

 

[Rick Chauvin]

98 Guy wrote:
[....]

I submitted "testvml[1].htm" to virus total and only a handful of AV
software flagged it. Symantec was one of them.

I went to a Win-98 system that I haven't patched with the new version
of VGX.dll and verified that it crashes when viewing the above URL.
The NAV-2002 on that system was last updates Aug 28, so no it didn't
flag anything.

I then updated NAV to Sept 27 or 28 then went to that URL again, and
again it crashes IE, but NAV catches and quarantines testvml[1].htm
while the crash message is still on the screen.

So basically NAV (2002 version) is not capable of intercepting bad WWW
content before IE handles it.

fwiw, my W98SE partition has NAV2001 on it and with the latest definitions
(with or without the new dll) NAV instantly ''access denied'' stops the
page before it even loads and prompts it will not open the C:\WINDOWS\Local
Settings\Temporary Internet Files\Content.IE5\01234567\testvml[1].htm

After clicking through the AV prompt, with the old dll the browser
will kick up the send ms error report, but with the new dll in place the
page shows fine.

I haven't read the rest of the posts here but just wanted to mention
the above fwiw - seems it's being scanned and stopped before the
browser even has a chance to use it.

Rick

 

[Rick Chauvin]

98 Guy wrote:
[....]

I submitted "testvml[1].htm" to virus total and only a handful of AV
software flagged it. Symantec was one of them.

I went to a Win-98 system that I haven't patched with the new version
of VGX.dll and verified that it crashes when viewing the above URL.
The NAV-2002 on that system was last updates Aug 28, so no it didn't
flag anything.

I then updated NAV to Sept 27 or 28 then went to that URL again, and
again it crashes IE, but NAV catches and quarantines testvml[1].htm
while the crash message is still on the screen.

So basically NAV (2002 version) is not capable of intercepting bad WWW
content before IE handles it.

fwiw, my W98SE partition has NAV2001 on it and with the latest definitions
(with or without the new dll) NAV instantly ''access denied'' stops the
page before it even loads and prompts it will not open the C:\WINDOWS\Local
Settings\Temporary Internet Files\Content.IE5\01234567\testvml[1].htm

After clicking through the AV prompt, with the old dll the browser
will kick up the send ms error report, but with the new dll in place the
page shows fine.

I haven't read the rest of the posts here but just wanted to mention
the above fwiw - seems it's being scanned and stopped before the
browser even has a chance to use it.

Rick

 

[98 Guy]

fwiw, my W98SE partition has NAV2001 on it and with the latest
definitions

Interesting. Glad to hear that NAV 2001 is still update-able.

NAV instantly ''access denied'' stops the page before it even
loads

fwiw - seems it's being scanned and stopped before the
browser even has a chance to use it.

I don't think that NAV is stopping the page from loading.

What you're seeing is that the browser has crashed, and before the
message telling you that IE has crashed you are getting a message from
NAV telling you about the detection and quarantining of the .htm file.

When you dismiss the NAV messages, IE comes back to the foreground and
the OS handles the crash with an error report.

 

[98 Guy]

fwiw, my W98SE partition has NAV2001 on it and with the latest
definitions

Interesting. Glad to hear that NAV 2001 is still update-able.

NAV instantly ''access denied'' stops the page before it even
loads

fwiw - seems it's being scanned and stopped before the
browser even has a chance to use it.

I don't think that NAV is stopping the page from loading.

What you're seeing is that the browser has crashed, and before the
message telling you that IE has crashed you are getting a message from
NAV telling you about the detection and quarantining of the .htm file.

When you dismiss the NAV messages, IE comes back to the foreground and
the OS handles the crash with an error report.

 

[Dan W.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Piggott wrote:

Oops, you're correct, thank you for clearing that up.

Thanks Gary and Adam. BTW, Adam why does your messages include all the
extra stuff?

The extra stuff is a digital signature, so that anyone using an
OpenPGP-compliant email program[1] can verify that I was the poster and
that the message hasn't been tampered with since sending.

I do this as I post on behalf of my business and consider it good practise
to do so. And to pre-empt anyone who is tempted, I've discussed why some
consider it pointless or wasteful to do so, and won't do so further

[1]I use Thunderbird with the Enigmail plug-in and GnuPG.


Cheers,

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImtx7uRVdtPsXDkRAi2iAJ0SVfxoPvrz5Mi05m7Aev9aU6oK3wCglIz+
7G/KYeLX+ctbbn3CHgmUSA4=
=+ht1
-----END PGP SIGNATURE-----

Thanks for the detailed explanation. I really appreciate it.

 

[Dan W.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Piggott wrote:

Oops, you're correct, thank you for clearing that up.

Thanks Gary and Adam. BTW, Adam why does your messages include all the
extra stuff?

The extra stuff is a digital signature, so that anyone using an
OpenPGP-compliant email program[1] can verify that I was the poster and
that the message hasn't been tampered with since sending.

I do this as I post on behalf of my business and consider it good practise
to do so. And to pre-empt anyone who is tempted, I've discussed why some
consider it pointless or wasteful to do so, and won't do so further

[1]I use Thunderbird with the Enigmail plug-in and GnuPG.


Cheers,

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFImtx7uRVdtPsXDkRAi2iAJ0SVfxoPvrz5Mi05m7Aev9aU6oK3wCglIz+
7G/KYeLX+ctbbn3CHgmUSA4=
=+ht1
-----END PGP SIGNATURE-----

Thanks for the detailed explanation. I really appreciate it.

 

[PCR]

|
|
| 98 Guy wrote:
| [....]
|
| > I submitted "testvml[1].htm" to virus total and only a handful of AV
| > software flagged it. Symantec was one of them.
| >
| > I went to a Win-98 system that I haven't patched with the new
version
| > of VGX.dll and verified that it crashes when viewing the above URL.
| > The NAV-2002 on that system was last updates Aug 28, so no it didn't
| > flag anything.
| >
| > I then updated NAV to Sept 27 or 28 then went to that URL again, and
| > again it crashes IE, but NAV catches and quarantines testvml[1].htm
| > while the crash message is still on the screen.
| >
| > So basically NAV (2002 version) is not capable of intercepting bad
WWW
| > content before IE handles it.
|
| fwiw, my W98SE partition has NAV2001 on it and with the latest
definitions
| (with or without the new dll) NAV instantly ''access denied'' stops
the
| page before it even loads and prompts it will not open the
C:\WINDOWS\Local
| Settings\Temporary Internet Files\Content.IE5\01234567\testvml[1].htm
|
| After clicking through the AV prompt, with the old dll the browser
| will kick up the send ms error report, but with the new dll in place
the
| page shows fine.

That appears to be what McAfee also does. Before the page shows &
crashed, I have the chance to delete or quarantine testvml[1].htm. So...
the Win2k .dll will prevent the crash. (I haven't taken it yet.)

But where is the vulnerability? In the virus file or in the crash of IE
or a combination of both? IOW, is the thing prevented by McAfee or by
the Win2k .dll? Is the crash flushing a buffer that the virus file
loaded?

| I haven't read the rest of the posts here but just wanted to mention
| the above fwiw - seems it's being scanned and stopped before the
| browser even has a chance to use it.
|
| Rick
|
|
| > Do we know if "modern" AV software intercepts and scans web content
| > BEFORE a browser sees it?
| >
| > Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| > current AV software?
|
|
|
|
|
|
|

 

[PCR]

|
|
| 98 Guy wrote:
| [....]
|
| > I submitted "testvml[1].htm" to virus total and only a handful of AV
| > software flagged it. Symantec was one of them.
| >
| > I went to a Win-98 system that I haven't patched with the new
version
| > of VGX.dll and verified that it crashes when viewing the above URL.
| > The NAV-2002 on that system was last updates Aug 28, so no it didn't
| > flag anything.
| >
| > I then updated NAV to Sept 27 or 28 then went to that URL again, and
| > again it crashes IE, but NAV catches and quarantines testvml[1].htm
| > while the crash message is still on the screen.
| >
| > So basically NAV (2002 version) is not capable of intercepting bad
WWW
| > content before IE handles it.
|
| fwiw, my W98SE partition has NAV2001 on it and with the latest
definitions
| (with or without the new dll) NAV instantly ''access denied'' stops
the
| page before it even loads and prompts it will not open the
C:\WINDOWS\Local
| Settings\Temporary Internet Files\Content.IE5\01234567\testvml[1].htm
|
| After clicking through the AV prompt, with the old dll the browser
| will kick up the send ms error report, but with the new dll in place
the
| page shows fine.

That appears to be what McAfee also does. Before the page shows &
crashed, I have the chance to delete or quarantine testvml[1].htm. So...
the Win2k .dll will prevent the crash. (I haven't taken it yet.)

But where is the vulnerability? In the virus file or in the crash of IE
or a combination of both? IOW, is the thing prevented by McAfee or by
the Win2k .dll? Is the crash flushing a buffer that the virus file
loaded?

| I haven't read the rest of the posts here but just wanted to mention
| the above fwiw - seems it's being scanned and stopped before the
| browser even has a chance to use it.
|
| Rick
|
|
| > Do we know if "modern" AV software intercepts and scans web content
| > BEFORE a browser sees it?
| >
| > Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| > current AV software?
|
|
|
|
|
|
|

 

[Rick Chauvin]

Interesting. Glad to hear that NAV 2001 is still update-able.


I don't think that NAV is stopping the page from loading.

Well yes in the sense that NAV halts everything in its tracks when it
detects the interest, and by saying okay to the prompt it lets it proceed
but just doesn't open the file listed and the page loads fine still. The
page is not loaded beforehand however. If it was imperative I
could prove it out one way or the other by detailing each step and
screenshot it all out to show exactly what happens with the original dll
and after the 2K swap, along with a before and after the NAV definition
update in both instances as well.. ..however you know it's not really that
important to do in this situation so I won't spend the time (which there is
little of) to digress on it further..

greetings to all

Rick

 

[Rick Chauvin]

Interesting. Glad to hear that NAV 2001 is still update-able.


I don't think that NAV is stopping the page from loading.

Well yes in the sense that NAV halts everything in its tracks when it
detects the interest, and by saying okay to the prompt it lets it proceed
but just doesn't open the file listed and the page loads fine still. The
page is not loaded beforehand however. If it was imperative I
could prove it out one way or the other by detailing each step and
screenshot it all out to show exactly what happens with the original dll
and after the 2K swap, along with a before and after the NAV definition
update in both instances as well.. ..however you know it's not really that
important to do in this situation so I won't spend the time (which there is
little of) to digress on it further..

greetings to all

Rick

 

[PCR]

| | |
| |
| | 98 Guy wrote:
| | [....]
| |
| | > I submitted "testvml[1].htm" to virus total and only a handful of AV
| | > software flagged it. Symantec was one of them.
| | >
| | > I went to a Win-98 system that I haven't patched with the new
| version
| | > of VGX.dll and verified that it crashes when viewing the above URL.
| | > The NAV-2002 on that system was last updates Aug 28, so no it didn't
| | > flag anything.
| | >
| | > I then updated NAV to Sept 27 or 28 then went to that URL again, and
| | > again it crashes IE, but NAV catches and quarantines testvml[1].htm
| | > while the crash message is still on the screen.
| | >
| | > So basically NAV (2002 version) is not capable of intercepting bad
| WWW
| | > content before IE handles it.
| |
| | fwiw, my W98SE partition has NAV2001 on it and with the latest
| definitions
| | (with or without the new dll) NAV instantly ''access denied'' stops
| the
| | page before it even loads and prompts it will not open the
| C:\WINDOWS\Local
| | Settings\Temporary Internet Files\Content.IE5\01234567\testvml[1].htm
| |
| | After clicking through the AV prompt, with the old dll the browser
| | will kick up the send ms error report, but with the new dll in place
| the
| | page shows fine.
|
| That appears to be what McAfee also does. Before the page shows &
| crashed, I have the chance to delete or quarantine testvml[1].htm. So...
| the Win2k .dll will prevent the crash. (I haven't taken it yet.)
|
| But where is the vulnerability? In the virus file or in the crash of IE
| or a combination of both? IOW, is the thing prevented by McAfee or by
| the Win2k .dll? Is the crash flushing a buffer that the virus file
| loaded?

Reading that...
http://secunia.com/advisories/21989/
......Quote.........
Description:

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the Microsoft Vector Graphics Rendering(VML) library (vgx.dll) when processing certain content in Vector Markup Language (VML) documents. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long "fill" method inside a "rect" tag with the Internet Explorer browser.

Successful exploitation allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.

NOTE: The vulnerability is currently being actively exploited.
.......EOQ...........

....It does seems it's a combo of the virus file & the IE crash to flush a buffer. I'm still torn on whether I need to switch .dll's. But, I've retrieved it, & I guess I will switch soon to prevent the crash. But why is it crashing?

 

[PCR]

| | |
| |
| | 98 Guy wrote:
| | [....]
| |
| | > I submitted "testvml[1].htm" to virus total and only a handful of AV
| | > software flagged it. Symantec was one of them.
| | >
| | > I went to a Win-98 system that I haven't patched with the new
| version
| | > of VGX.dll and verified that it crashes when viewing the above URL.
| | > The NAV-2002 on that system was last updates Aug 28, so no it didn't
| | > flag anything.
| | >
| | > I then updated NAV to Sept 27 or 28 then went to that URL again, and
| | > again it crashes IE, but NAV catches and quarantines testvml[1].htm
| | > while the crash message is still on the screen.
| | >
| | > So basically NAV (2002 version) is not capable of intercepting bad
| WWW
| | > content before IE handles it.
| |
| | fwiw, my W98SE partition has NAV2001 on it and with the latest
| definitions
| | (with or without the new dll) NAV instantly ''access denied'' stops
| the
| | page before it even loads and prompts it will not open the
| C:\WINDOWS\Local
| | Settings\Temporary Internet Files\Content.IE5\01234567\testvml[1].htm
| |
| | After clicking through the AV prompt, with the old dll the browser
| | will kick up the send ms error report, but with the new dll in place
| the
| | page shows fine.
|
| That appears to be what McAfee also does. Before the page shows &
| crashed, I have the chance to delete or quarantine testvml[1].htm. So...
| the Win2k .dll will prevent the crash. (I haven't taken it yet.)
|
| But where is the vulnerability? In the virus file or in the crash of IE
| or a combination of both? IOW, is the thing prevented by McAfee or by
| the Win2k .dll? Is the crash flushing a buffer that the virus file
| loaded?

Reading that...
http://secunia.com/advisories/21989/
......Quote.........
Description:

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the Microsoft Vector Graphics Rendering(VML) library (vgx.dll) when processing certain content in Vector Markup Language (VML) documents. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long "fill" method inside a "rect" tag with the Internet Explorer browser.

Successful exploitation allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.

NOTE: The vulnerability is currently being actively exploited.
.......EOQ...........

....It does seems it's a combo of the virus file & the IE crash to flush a buffer. I'm still torn on whether I need to switch .dll's. But, I've retrieved it, & I guess I will switch soon to prevent the crash. But why is it crashing?

 

[David H. Lipman]

From: "PCR" <[email protected]>

< snip >

| ...It does seems it's a combo of the virus file & the IE crash to flush a buffer. I'm
| still torn on whether I need to switch .dll's. But, I've retrieved it, & I guess I will
| switch soon to prevent the crash. But why is it crashing?

What virus ? This is Exploit code, not a virus !!!

It crash's becuase there is a bug in the code that causes a Buffer Overflow condition. It
is ibn this state that malware can take control of the system.

I have made it easy. Here's my self installing unofficial patch...
http://www.ik-cs.com/programs/virtools/VML-HTML_FIX.exe