L
Lido
In searching on-line last night for, of all things, a bathroom scale, I
loaded a web page that had a script that exploited the MSHTA/scripting
vulnerability.
To give maximum disclosure, this was a new system with XP Pro SP1 which
I hadn't updated with any of the security patches. Nor did I have
antivirus software running, as I was put off by the user reviews I'd
read for Norton and McAfee, and was looking for something better.
What I did have running was Zone Alarm, which alerted me that MSHTA.exe
was trying to make an outbound connection. I denied the connection and
closed all instances of IE. I also killed any process I couldn't
immediately identify, and unplugged my computer from the cable modem.
After a period where I saw there was no unusual process or disk activity
(which I admit is very subjective), I reconnected to the Internet with
the goal of running Symantec's online virus and trojan scan. When I
opened IE, my home page had changed to one that looked like MSN, but was
actually a frameset at "www.browser-page.com". I chaged it back, and
it's stayed that way through several restarts.
I ran both Symantec's and McAfee's online scans, and neither found any
viruses or trojans in my system or data files. I checked the Registry
under all the instances of \software\Microsoft\windows\currentversion
\run\ and similar, and there's no evidence of bogus background tasks or
services.
I've since applied the cumulative security update (MS04-004) for IE 6.
From what I understand of MSHTA, there's no real limit on what the
script can do, especially when running in a privileged context. Setting
that worst-case scenario aside, what are some of the more common
scenarios when exploiting this vulnerabilty?
loaded a web page that had a script that exploited the MSHTA/scripting
vulnerability.
To give maximum disclosure, this was a new system with XP Pro SP1 which
I hadn't updated with any of the security patches. Nor did I have
antivirus software running, as I was put off by the user reviews I'd
read for Norton and McAfee, and was looking for something better.
What I did have running was Zone Alarm, which alerted me that MSHTA.exe
was trying to make an outbound connection. I denied the connection and
closed all instances of IE. I also killed any process I couldn't
immediately identify, and unplugged my computer from the cable modem.
After a period where I saw there was no unusual process or disk activity
(which I admit is very subjective), I reconnected to the Internet with
the goal of running Symantec's online virus and trojan scan. When I
opened IE, my home page had changed to one that looked like MSN, but was
actually a frameset at "www.browser-page.com". I chaged it back, and
it's stayed that way through several restarts.
I ran both Symantec's and McAfee's online scans, and neither found any
viruses or trojans in my system or data files. I checked the Registry
under all the instances of \software\Microsoft\windows\currentversion
\run\ and similar, and there's no evidence of bogus background tasks or
services.
I've since applied the cumulative security update (MS04-004) for IE 6.
From what I understand of MSHTA, there's no real limit on what the
script can do, especially when running in a privileged context. Setting
that worst-case scenario aside, what are some of the more common
scenarios when exploiting this vulnerabilty?