Jump to content

Removing exploit:win32/cve-2011-0096.A


Recommended Posts

Hello,

 

In my previous post, I asked for help removing exploit:win32/cve-2011-0096, which I was eventually able to remove. However, recently Microsoft Security Essentials detected a new virus exploit:win32/cve-2011-0096.A, which seems indicates that the first one was never actually removed. So now, I need help fully moving this new one. Currently Essentials quarantined the virus, but I want to remove it completely. I ran MalwareBytes, however it did not detect it.

 

I have a Fujitsu Tablet that runs Windows 7 64 bit. Any help would be appreciated.

 

Here is the link to my first post.

https://forums.malwarebytes.org/index.php?showtopic=143861&hl=

Link to post
Share on other sites

Hi again,

 

as you can see here, detected files with this threat are specially crafted html documents that try to attack vulnerabilities on your computer.

We´ve updated the Microsft as well as the third party products on your machine so you should not be vulnerable to this exploit.

 

MSE was doing its job and deleted the file.

 

Microsoft provides additional steps to prevent your computer from being infected agin: http://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx

Link to post
Share on other sites

I watched the first thread and I watched this one as well.
 
The first thing to realize is that this is Exploit code.  It is not a virus and should not be equated as a virus or even as a trojan for that matter.
 
As Exploit code its function is, as Psychotic mentioned, to attack vulnerabilities.  That is a specially crafted piece of code is used to exploit a software vulnerability.  If the vulnerability has not been patched then, based upon the actual attack ploy/process, a malware infection may be the result.
 
Malware is defined as Malicious Software so code that exploits any vulnerability is deemed to be a sub-type of malware just as trojans and viruses are sub-types of malware. Unlike trojans and viruses they have no payload.  They are used in a ploy to deliver a payload.  Just as a battering ram is used to break down a door.  It is the ones who wield the battering ram that must deliver the payload.
 
A quasi-governmental company has been contracted by the US Government for purposes of enumerating vulnerabilities in a database,  The company is MITRE and the database is called the Common Vulnerabilities and Exposures or CVE.  The database assigns a unique number to a given vulnerability based upon the Year discovered and its place in being found.  Thus we can look at what was found on your PC;  CVE-2011-0096.
 
CVE-2011-0096 - This was the 96th vulnerability cataloged in the year 2011.  We can go to MITRE's CVE database and look it up;  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096
 
The description is as follows..

The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability."

 
So if your PC is properly being patched, you should have installed the patch that mitigates this vulnerability in 2011.
 
The next thing is to actually determine the agent of the Exploit.  That is to view the LOG of MSE of the event where MSE flagged the subject of this thread.
 
The following Microsoft Community thread tells one how to view the Event Log to access this kind of event.  
where does microsoft security essentials keep a log of its activites.
 
as does this Bleeping Computer thread
Log from Microsoft Security Essentials Scan

 

The reason I bring up the log is to determine what and/how the agent is seen as by your Operating System. 

Is it a viewed web page ? 

An email ?

Then we can determine the cause of the action and mitigate it for the future.

 

In summation:

This is not a virus and should not be considered as such.

It is Exploit code identified, and patched, in 2011 and your PC should have the associated mitigation patch installed by now.

Link to post
Share on other sites

Thank you.  Extracted...

 

Resource Path:C:\Windows\Installer\401a932.msi->Data1.cab->advisories.zip->Advisories/zh-CHT/MHTMLXSS.xml
Result Count:36
Threat Name:Exploit:Win32/CVE-2011-0096.A

 

So basically MSE is opening a Microsoft Installer Package (401a932.msi) which in turn it finds a Microsoft cabinet File which is a type of archive file (Data1.cab) which in turn it finds a ZIP file (advisories.zip) and within that ZIP, it finds MHTMLXSS.xml and is flagging that as as the subject matter Exploit.

 

I don't know what the Microsoft Installer Package, 401a932.msi, is for but I don't see anything to worry about.  In fact since it was within an advisories.zip file it may very well be a False Positive.  It certainly does not come across as a deliberate Exploitation attempt.  This was seen in multiple Language Formats of "MHTMLXSS.xml" thus enforcing my opinion it is a False Positive.

 

A way to mitigate MSE alerts on this would be to EXCLUDE "C:\Windows\Installer\401a932.msi" from "On Demand" and "On Access" scans.

Link to post
Share on other sites

From what I see, it does not appear to be a "purposeful" exploitation attempt.

 

Open; Microsoft Security Essentials

Choose;  "Settings"  --> "Excluded files & locations" --> "Add" 

Browse to or manually add ;  C:\Windows\Installer\401a932.msi

Link to post
Share on other sites

I am sorry if I am failing to explain this so please let me reiterate...
 
This was the 96th vulnerability discovered and cataloged in 2011.
A patch was created in April 2011.
 
The likelihood that you have this patch installed is very high.
 
Ammendment:
Microsoft identified this as; MS11-026 --   Microsoft Security Bulletin MS11-026 - Important
That means it was Microsoft's 26th vulnerability identified in 2011.

 

You stated... "I have a Fujitsu Tablet that runs Windows 7 64 bit."
Security Update for Windows 7 for x64-based Systems (KB2503658)

 

You asked... "why am I suddenly getting this now though?"

It could be that "C:\Windows\Installer\401a932.msi" is a recent addition to your PC.

It could also be a redefinition in Microsoft security Essentials signature base that subsequently caused this to be suddenly flagged.

It could also be because of the high probability that this is a False Positive declaration.

Link to post
Share on other sites

Alright, but on the off chance that I didn't install the patch, could I go to that link and install it manually? Would doing so cause any problems.? I understand that my computer should have patched it up long before, but to be sure I want to do it again. I remember there was a period when my system was able to update properly for a while. 

Link to post
Share on other sites

No it means what the statement indicated "update was not applicable to your computer" and I went by what you posted "I have a Fujitsu Tablet that runs Windows 7 64 bit".

 

Which takes us back to;  Microsoft Security Bulletin MS11-026 - Important

 

You would have to drill down through to "Affected Software" and find your OS and choose that to obtain the associated 2011 generated patch.

 

Looking at the previous thread, a submitted log showed "Windows 7 Enterprise Service Pack 1" which does point back to;  http://www.microsoft.com/en-us/download/details.aspx?id=548

Link to post
Share on other sites

Going back to;  Microsoft Security Bulletin MS11-026 - Important
 

Vulnerability Information -->

MHTML Mime-Formatted Request Vulnerability - CVE-2011-0096 -->

Workarounds for MHTML Mime-Formatted Request Vulnerability - CVE-2011-0096 -->

For 64-bit editions of Microsoft Windows:

 

Shows a Registry modification to mitigate this vulnerability (MHTML lockdown) which has been attached here -->  CVE-2011-0096.zip

 

Open the ZIP file and Double-Click on the REG file to import the changes.

Link to post
Share on other sites

Based upon reading the associated Microsoft Bulletin, MS11-026, it is a Workaround with the following caveat...

 

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

 

However, I have done some research and it is possible to get "update was not applicable to your computer" based upon it having been installed already or if a subsequent update was installed that covered this.

 

So I did a couple of tests. 

 

On my Windows Vista system, I went to "Windows Update" --> "Installed Updates"

I did a search on "KB2503658" and found this patch was installed.

 

I recently installed Windows 7/32 SP1, from scratch, on a system I just built a week ago.

I went to "Windows Update" --> "Installed Updates"
I did a search on "KB2503658" and did NOT find this to be installed.

 

I downloaded the patch associated with "KB2503658" and ran it and I too got "update was not applicable to your computer".

 

Therefore I will state that you are properly patched to mitigate this vulnerability.

 

Is there anything else ?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.