Mike Healan
http://www.spywareinfoforum.info/articles/htasploit/
Members of the SWI support forums have uncovered a very nasty flaw, already being exploited by malicious hackers, that allows trojans and other malicious software to be introduced onto a machine via Internet Explorer despite security settings.
A file is dropped onto the infected system using ActiveX drive by, the file is run, and then immediately loads the Windows application MSHTA.EXE from the Windows folder. MSHTA.EXE is put into "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as if it were a program. In other words, this flaw makes it possible for a malicious website to embed trojans, worms and/or viruses directly into a web page and infect visitors using Internet Explorer.
Kevin McLeavy, developer of the BOClean anti-trojan program, has long regarded MSHTA as a serious security threat. "While Microsoft has, since our 'big stink' back in 2001, disconnected MSHTA from being INVOKED by Internet Explorer, it will STILL run what is presented to it when started on a local machine in the 'local machine' or 'my computer zone' since this is done on some corporate networks for the convenience of the glass room geeks.
"In other words, this completely bypasses the security zone structures and patches of Internet Explorer BECAUSE MSHTA is ALREADY RUNNING in the 'local' zone ... therefore, when presented with [an HTA] script, it will parse it and run it, despite firewall, and IE restrictions...."
This is a severe security risk, and it is recommended that MSHTA be disabled entirely unless you specifically need it to run. Privacy Software Corporation has developed HTAStop, a small program that allows you to quickly disable or enable Windows' ability to run HTA scripts directly and even renames mshta.exe. HTAStop is located at http://www.nsclean.com/htastop.html.
It does appear that Windows XP makes use of HTA scripting for various parts of the help system and control panel. If you have problems while using Windows XP after using HTAStop, use it to toggle scripting back on.
The flaw cannot be exploited until after the original trojan has been installed, whether by ActiveX driveby or other methods. It is recommended that you verify that your security settings for the "Internet Zone" are set to prompt or disable for ActiveX that is signed and marked as safe. ActiveX that is unsigned or not marked as safe for scripting should be blocked entirely. If the author cannot be bothered to certify their software, you should not trust it to run on your hardware.
My personal advice is to stop using that Microsoft browser that is bundled into every version of Windows. It doesn't work as well as other browsers, it lacks many basic features available in every competing browser, and it is inherently unsafe and targeted by all known browser hijackers. Lock it away behind the firewall and use a real browser.
Links:
http://www.nsclean.com/psc-htas.html :: Privacy Software Corporation Security Advisory
http://www.mozilla.org/products/firebird/ :: Mozilla Firebird, a REAL browser
