According to the writer MS has confirmed this and he has removed his POC-code.
MS is working with a patch.
With this vulnerability it is possible to run an hta-file without the users permission.
While MS is working on a fix it is perhaps a good idea to use the Web-shield and block hta-files. In my opinion this shows the usefulness of the Webshield in different situations.
Just a thought: I’m not sure how severe this can be before it is patched, but assuming another severe threat to come in the future that can be handled in this way by Webshield. How to communicate that to the users of Avast? I am thinking of a sort of infochannel for urgent messages. Just my thoughts… I have got no answers.
Webshield/URL-blocking/*.HTA Just as we(edit some of us) did with *.WMF under the wmf-vulnerability.
Edit: The problem is related to the way IE6 processes so-called HTA files.
I thought and still think the Webshield is a handy method for stopping IE in
misprocessing HTA files by letting the Webshield block the HTA files before they reach
IE6.
The scanning of .hta files is a part of default list of files to be scanned by standard shield, web shield should also scan .hta files as a consequence of the Scan all files option.
There may well be legitimate uses for .hta files (few and far between though I think) so I would be reluctant to block it. Currently the only additional file type I block is *.pif files in web shield.
Q: Should I be worried?
A: I haven't seen this particular exploid in the wild, so you don't have to worry, but if you are, there are several things you can do:
• Install a virusscanner
• Install anti-spyware software
• Use an other browser like Firefox
Agree, but the problem is that scanning of these files are of no help at this point. No signatures can possibly have been made for this special exploit.
We are speaking of .HTA-files on the web. The answer I have got from experts is that the functionality of browsing will not be destroyed by blocking hta files on the web.
I feel that we are talking different languages, and after thinking about it we really are!(in double meaning) ;D
Anyway, just trying to help. Can’t succeed every time.
I also have a little program called script trap that intercepts .hta files, so they can’t run without my express authorisation, if denied they don’t have access to the run time files.
So for me perhaps it is less important to block, however, blocking .hta files is a relatively simple option that as you say shouldn’t effect browsing.
You have helped by raising the topic people now have several options in what they can choose.
Do you mean just add *.hta in the WebShield settings?
I’m not that sure the mask will work as being a file. It supposed to be http://www kind of addresses.
Maybe somebody else could confirm or anybody can test this…
Good to see that it is an old vulnerability,or rather sorry it is the same old news for which they developed HTASTOP. Bitdefenders’AVX Script Wall is also a perfect protection against these particular holes. It is a sorry thing the old MS vulnerabilities keep re-appearing again and again Malware is always using a limited number of these never-failing gaping holes in scripts as a means of malware vectors to infect loads of Windows platforms. and there are still so many millions of unpatched machines to choose from. The motto should be UPDATE and PATCH, you folks or it will never end.
And, update/patch should be pro-active on the computer owner’s part. I do this at least once a week for the OS and all security related programs … and more often if I feel there is a need or if new info is available in the General forum’s Updates thread.
I look at it this way … Do I want to spent 30 mins doing updates once a week, spend possibly many hours cleaning an infection, or $1000 USD for a new computer? Yep, I choose the 30 mins worth of updates. Of course, updates alone is not enough. The programs have to also be used … at least once a week for me.
Yeah, I have XP set up for auto-updates but that just is not enough to me. In the past, I have found out about Windows updates 2 or 3 days before the auto-update worked. We all know how short the time span is before a possible infection occurs.
Be pro-active, People … protect your computer, your on-line experience, and maybe even your life-style off the internet.
Now that we have the final answer, we can see that this would indeed have mitigated
this exploit:
Excerpt from MS Security Bull 06-013:
[b]" Workarounds for HTA Execution Vulnerability - CVE-2006-1388:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
• Un-register the Mshta.exe file
To un-register the Mshta.exe file, use the following command:
Click Start, click Run, type “”%windir%\system32\mshta.exe /unregister" (without the quotation marks), and then click OK.
Impact of Workaround: Users will be prompted to select a software to open HTML Applications (.HTA files) with.
To undo this change, re-register Mshta.exe by following the above steps. Replace the text in Step 1 with “”%windir%\system32\mshta.exe /register" (without the quotation marks)."[/b]
We would indeed be still more safe than this because we wouldn’t get the prompt to select a software to open .HTA files with. .HTA-files would have been GONE.
Again, This shows the usefulness of the blocking feature in Webshield in many different
situations. (not only ads and other unwanted contents as shown in another thread.)
Webshield rules, but to catch malware through the HTML stream as always stated as primary objective of the webshield in this forum, it depends on (up-to-date ;)) definitions.
