Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-11-20 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bofra/IFrame Exploits on More Web Sites (updated); IFRAME vulnerability summary; Two more IE Exploits

Published: 2004-11-20
Last Updated: 2004-11-21 00:39:06 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
Bofra/IFrame Exploits on More Web Sites. The Storm Center received a report this morning of a high profile UK website that contains a pointer on their main page to another URL hosting the Bofra/IFrame exploit. We have confirmed that if this site is visited using Internet Explorer the exploit will be downloaded. The site owners have been notified.

I know that everybody wants to know "which site?" but to keep little Johnny from burning his fingers we will not list the URL. Please exercise caution when using Microsoft's Internet Explorer since this issue has no current patch. The Storm Center recommends using an alternative browser when visiting sites other than those you absolutely trust.

Thanks to Mark for reporting this to us, and we request that if other sites are found with the Bofra/IFrame exploit on it, let us know. We will attempt to contact the site owners and inform appropriate government response teams if needed.

UPDATE, 1525 UTC. The site in the UK has been fixed. We have received reports of sites in Sweden and the Netherlands that were also compromised. This may indicate a more wide-spread attack across Europe. One suggestion is that the advertising servers rather than the sites themselves contain the exploit, which of course means that perhaps hundreds of sites are affected.
Marcus H. Sachs

Director, SANS Internet Storm Center

UPDATE BELOW at 18:17 UTC - Kyle Haugsness

Microsoft IE IFRAME vulnerability summary (Bofra worm)

Just to refresh everyone on the details. On October 24, a vulnerability
was discovered in the IFRAME tags of Internet Explorer 6.0 affecting
all Windows platforms except Windows XP SP2. This vulnerability can be
exploited by going to a web-site that has malicious code. Currently,
some high profile sites with banner ads are linking to servers that have
the exploit and malicious code.

reported as not vulnerable. If you are running IE 6, you are
HIGHLY RECOMMENDED to utilize a different web-browser until a patch is
released by Microsoft. Microsoft has confirmed the vulnerability with
media organizations, but is yet to release any statement on their
website. The next scheduled patch-release day at Microsoft is
24 days away (on December 14).

If you operate a web site that serves banner advertisements, you are
highly recommended to verify that the banners do not contain the IFRAME
exploit code. Or you might want to consider disabling banner ads for
a little while to minimize the risk of accidentally infecting your
users and propogating.

Since this vulnerability is easy to exploit, it is likely that malware
for this issue will come in many flavors and colors. In addition to the
possibility of becoming infected while surfing a website, there are e-mail
propogration vectors. On November 8, we reported MyDoom.AG and MyDoom.AH
(which spread via e-mail) utilize this exploit:

Note that some versions of MyDoom that are including the IFRAME exploit
are being called Bofra (variants A - :

More vulnerability details:

UPDATE BELOW at 00:30 UTC - Kyle Haugsness

Two More IE Vulnerabilities

Exploit code has been released for two more Internet Explorer vulnerabilities
that were released on Wednesday (Nov. 17). This code would enable an attacker
to trick users into executing malware. These vulnerabilities affect Microsoft
Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2.

The original advisory is here:

The proof of concept exploit:

While on the topic, it is interesting to note some statistics that
Secunia has been compiling about Internet Explorer vulnerabilities:

IE 5.01 - 42 advisories (7 unpatched)
IE 5.5 - 55 advisories (8 unpatched)
IE 6.0 - 69 advisories (18 unpatched)

0 comment(s)
Diary Archives