<!--
I thought you were already aware of the text/x-scriptlet object variation of Ibiza which was exploited in the wild before Ibiza was even discussed on Bugtraq --> Really? I be most interested in seeing a reference to that. The time-line I have is: 1. On Wednesday, February 11, 2004 3:21 AM someone sent me a link to www.ibiza-victoria.com which was riddled with images and iframes pointing to the chm file. At the time nothing happened when viewing it as it used the object code base in the chm to trigger which was patched on XP, as a result no further examination took place. 2. Liu Die's fake mhtml redirect was published on December 2003 along with minor mentions of similar fake file tricks prior to that. 3. On Sat Mar 27 2004 - 13:17:45 CST the "new worm?" thread was posted on bugtraq. At the time I took Internet Explorer to the address and port mentioned in the post and actually infected my self. Closer examination revealed the exact same technique as ibiza that is with iframes and images used to render, draw to the cache and refresh in order to activate it. 4. Trying to reproduce on my server failed and at that time I placed it in an object with type="text/x-scriplet" without the need for refresh or images to cache the file or iframes to render it. Hence my notation with the demo of a more robust method. 5. Punching in <object data="ms-its:mhtml: to google which is the core of this, reveals nothing prior to April. That is object with type="text/x-scriptlet and referencing a non-exsistent mthml file inside a chm to redirect to the local file. http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=% 3Cobject+data%3D%22ms-its%3Amhtml%3A&btnG=Search Therefore when and when exactly was this same technique used prior to ibiza being posted on bugtraq. This is not about semantics but accuracy in security which without it, leads to insecurity or no security at all. -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
