On Fri, 19 Dec 2003 14:35:43 +0000 petard wrote: [snip] > Summary: Not only is there a stupid, possibly exploitable, buffer > overflow here, but the place I'm seeing it is in a section of the code > whose main purpose appears to be submitting information about what you > browse back to the code's authors. I'd say this is malicious... the user > is certainly not warned of this prior to downloading the patch. Since I > never executed it, I have no idea of whether or not they are warned by > an installer. Call it a trojan, call it spyware, but don't execute it.
I played with it yesterday. It also installs "LiveUpdate" which runs when you logon to your PC. If you uninstall IEXPatch.exe, LiveUpdate remains. The *.url files in the LIVEUPDATE dir point to: http://liveupdate.openwares.org/index.html http://liveupdate.openwares.org/Manual.htm http://liveupdate.openwares.org/EULA.htm Added to C:\Program Files\ 12/18/03 02:55p <DIR> LIVEUPDATE 12/18/03 02:55p <DIR> Openwares IE Security Patch Added to C:\Program Files\LIVEUPDATE\ 12/18/03 02:55p <DIR> Bin 12/13/03 06:17p 61,440 LiveUpdate.exe 11/06/03 01:36p 61,440 Uninstall.exe 12/08/03 02:22a 143,360 Remind.ocx 12/15/03 05:27p 66 About.url 12/15/03 05:27p 64 EULA.url 12/15/03 05:27p 66 Manual.url Added to C:\Program Files\LIVEUPDATE\Bin\ [empty] Added to C:\Program Files\Openwares IE Security Patch\ 12/15/03 05:10p 53,248 OpenwaresIEPatch.dll 12/18/03 02:55p 51,520 Uninstall.exe Cheers, Erik _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
