Full Disclosure mailing list archives
RE: How often are IE security holes exploited?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 13 Dec 2002 21:14:44 +1300
"Richard M. Smith" <rms () computerbytesman com> replied to Paul:
Thanks for the reply. Let me try to clarify things a bit. I'm most interested in security holes related to IE, ActiveX controls, and the Microsoft JVM. Basically things that can be exploited from an HTML Web page or email message. As you noted, these kinds of security holes can be exploited from Outlook, Outlook Express, and Windows Media Player.
OK -- that's pretty much what I assumed in my other answer.
Something like Loveletter didn't use any security holes to run. It's probably the best example of social engineering being used to get people to run a virus/worm by clicking on an attached file.
Well, it is that, but it was so successful because far too many _corporate_ sites were so mal-administered or mal-managed. LoveLetter did not get sent to 350 squillion Email addresses because it found that many addresses in home and small business user address books. It got there because it hit a few really large sites (think DoD, and the _really big_ corporations -- places with huge GALs and that use Outlook). It took that level of embarrassment (sometimes repeated two or three times in teh ensuing month or two) for the admins and/or management at many large corporate sites to acknowledge that only blocking known viruses coming in, or possibly "known viruses plus attachments of one or two extensions that we suspect might be the big problem ones" was yet another case of a simplistically stupid approach to a complex problem that had only started to actually be exploited at that point...
Also does anyone know of an example of a virus or worm that used an IE security hole that hadn't been seen before?
I forget exactly which offhand (perhaps the first Yaha or something just before it?) took advantage of the CR-only (or LF-only??) line break issue, in which many Unix mail servers will incorrectly pass what should be CRLF line-terminations and are otherwise invalid characters in standard SMTP traffic. Several content filter and AV Email scanner parsers "mis-handled" these messages, missing the attachments entirely (why these products were not written from the beginning to "fail closed" has still not been satisfactorily answered) and passing the bad messages on. Of course, Outlook and/or OE "happily" saw the messages as intended and they would detach and run the atatchments (and of course the users, feeling "safe" because they knew their Email was scanned for bad things, happily double-clicked away...). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- How often are IE security holes exploited? Richard M. Smith (Dec 12)
- Re: How often are IE security holes exploited? Blue Boar (Dec 12)
- Re: How often are IE security holes exploited? zeno (Dec 12)
- Re: How often are IE security holes exploited? Nick FitzGerald (Dec 12)
- Re: How often are IE security holes exploited? Blue Boar (Dec 13)
- <Possible follow-ups>
- RE: How often are IE security holes exploited? Schmehl, Paul L (Dec 12)
- RE: How often are IE security holes exploited? Richard M. Smith (Dec 12)
- RE: How often are IE security holes exploited? Nick FitzGerald (Dec 13)
- RE: How often are IE security holes exploited? Richard M. Smith (Dec 12)
- Re: How often are IE security holes exploited? gobbbles (Dec 13)
- RE: How often are IE security holes exploited? Schmehl, Paul L (Dec 13)
- Re: How often are IE security holes exploited? Blue Boar (Dec 12)