Closed Bug 293892 Opened 20 years ago Closed 19 years ago

Cracker used HTML.MHTMLRedir!exploit to download and ran java class "BlackBox.class..."; ultimately created program of choice on user computer.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: gn0wk, Unassigned)

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Found an adware installed by Java program called "weather.exe" after I visited a
cracker website.  The "weather.exe" was auto load at Windows startup - i.e. 
registry also penetrated. Norton Antivirus reported following items:
MHTMLRedir.Exploit, BlackBox.class-6a88adec-7d05ef74.class,
Dummy.class-7b3d82c6-22cd3d8b.class, VerifierBug.class-407c3e1c-451c25da.class. 

Reproducible: Didn't try




Hope you can plug this security vulnerability. Potentially, it allows the
cracker to run code of choice on most XP computer.

HTML.MHTMLRedir!exploit is an old exploit reported in 2003 see following url for
more info.
http://securityresponse.symantec.com/avcenter/venc/data/mhtmlredir.exploit.html#technicaldetails
Why do you think that a) the cracker got in through a Firefox hole, and b) that
it was "HTML.MHTMLRedir"? The advisory for HTML.MHTMLRedir says:

"This threat only affects Microsoft Internet Explorer."

Gerv
May I suggest not visiting cracker websites?

Norton warns about IE javascript exploit attempts like MHTMLRedir when web pages
containing that content are downloaded to a temporary cache file as part of
normal processing. Those warnings don't mean you've been infected (check the
Norton alerts to see if you're vulnerable) but are a reliable clue you are
visiting a dodgy website you should avoid.

The sites we've seen trying to install this kind of stuff use a grab-bag of
exploits targeted at different versions of different browsers. Most likely it
was a Java exploit that actually did the dirty deed.

Do you have Java enabled?
What version of Sun's JRE do you use?
Do you allow the JRE to check for updates?

Typing about:plugins in the location bar will answer the first two questions.
The Java icon on the windows control panel can answer the second two questions.
Whiteboard: [sg:needinfo]
From e-mail (please keep bug-related details *in* the bug):

> Come to think of it, you may be right.  Just because I downloaded the exploit,
it doesn't proof it
> did it.  The site also try to install plugins but I declined.  In the end -
something got through.
>
> 1. Java was turned "on" in Firefox. Allow website to install software was "off".
> 2. Java(TM) 2 Platform Standard Edition 5.0 Update 2.
> 3. Yes update was allowed in the control panel.
> 
> p.s. whether I visit cracker sites is irrelevant.  Any dodgy site may do the
same whether it be
> stealing credit card number, making your computer a zombie or installing
adware.  Once the
> security hole is out; unless it is plug, all are vulnerable.

I'm not saying you didn't anything, I'm just saying it wasn't MTHMLRedir so we
need to keep looking to find out what it is. I haven't heard of any exploits in
that version of the JRE, so that may not be the vector either. We're no closer
to having anything we can fix here. *which* site was it? If we can't see what
they're doing we have no idea what to fix.

You're right that the browser is either vulnerable or not, and our job as
developers is to fix the vulnerabilities. But as a matter of personal safety, if
there is a not-yet-known vulnerability then you're more at risk on those sorts
of sites.
Invalid - without even knowing which site did this, we don't have enough
information to figure out what the security hole is.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
weather.exe (weather bug) is semi-legit adware packaged with lots and lots of
software at this point. Legit in so far as usually you have given it permission
to run buried in the EULA of whatever it is you're installing ("semi" because
most people consider it sneaky adware anyway). Merely having weather.exe is no
evidence of how you got it.
(In reply to comment #5)
> weather.exe (weather bug) is semi-legit adware packaged with lots and lots of
> software at this point. Legit in so far as usually you have given it permission
> to run buried in the EULA of whatever it is you're installing ("semi" because
> most people consider it sneaky adware anyway). Merely having weather.exe is no
> evidence of how you got it.

I could swear I didn't explicitly allow any program to run on my PC ( windows or
norton usually popup a warning.)  Also, Norton detected it and isolated it in
the same session.  

Anyhow, I can't prove it and I am starting to forget.  I have reported what I
saw and don't have anymore to contribute.  It is flagged as "resolved invalid"
and I will leave it at that.  

If it was a security hole, sooner or later someone else will experience it. 

Thanks for looking into it.
You need to log in before you can comment on or make changes to this bug.