Full Disclosure mailing list archives
Re: Yet another 0day for IE (Disabling Javascript no longer a fix)
From: "Bill Stout" <bill.stout () greenborder com>
Date: Sun, 24 Sep 2006 11:39:33 -0700
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be ing.html "This exploit can be mitigated by turning off Javascripting. Update: Turning off Javascripting is no longer a valid mitigation. A valid mitigation is unregistering the VML dll. " Bill Stout -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Bill Stout Sent: Saturday, September 23, 2006 12:11 AM To: Gadi Evron; bugtraq () securityfocus com Cc: botnets () whitestar linuxbox org; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Yet another 0day for IE Hi all, If anyone finds a site where the 0day still lives, please let me know. All the URLs I've found are off the air. I did find a websense update not listed here: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632 There's another websense blog says the code has been posted (where?): http://www.websense.com/securitylabs/blog/blog.php?BlogID=81 If you're intentionally digging in the Internet muck for this Trojan (like I am), now is a good time to put our gloves around your browser. http://www.download.com/GreenBorder-Pro-with-SafeFiles/3000-2092_4-10581 692.html (Wraps IE, FF, and other apps) Here's the Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/925568.mspx Securiteam has a blog on this as well http://blogs.securiteam.com/index.php/archives/624 Many companies (e.g. software development) have users running as local admins. To quote from Securiteam: "Also worth mentioning is that the current in-the-wild exploits attempt system-wide software installations, as do most zero-day exploits for such vulnerabilities. If your browser is not running under an account with administrative privileges, this will not succeed." Thanks, Bill Stout My opinions are my own, and my keyboard is often accompanied by glass of wine or whiskey. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Gadi Evron Sent: Tuesday, September 19, 2006 2:47 PM To: bugtraq () securityfocus com Cc: botnets () whitestar linuxbox org; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Yet another 0day for IE Webattacker is a hacker kit for preparing a website to exploit users, infecting them. It has statistics on OS, browser type, etc. As well as on how many got infected by what exploit, etc. Nick FitzGerald, Roger Thompson and now Dan Hubbard (http://www.websense.com/securitylabs/blog/blog.php?BlogID=80) report that sites seen exploiting this 0day in-the-wild have previously been seen utilizing Webattacker. If Webattacker indeed uses this 0day... it will be spread far and wide. No patch in sight. Easy to exploit. Gadi. On Tue, 19 Sep 2006, Gadi Evron wrote:
Sunbelt Software released a warning on a new IE 0day they detected in-the-wild, to quote them: "The exploit uses a bug in VML in Internet Explorer to overflow a
buffer
and inject shellcode. It is currently on and off again at a number
of
sites. Security researchers at Microsoft have been informed. This story is developing and research is ongoing. Security professionals can
contact
me for collaboration or further information. This exploit can be
mitigated
by turning off Javascripting." They also notified some closed and vetted security information sharing groups on the matter, with further details. You can find their blog
entry
here:
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be ing.html
That's that. Why do I call it a 0day? Because it has indeed been used in-the-wild before it was publicly discovered. People are CURRENTLY and for a
while
now, being exploited. Lately we call every exploit being released in full disclosure mode a 0day. That's a 1-day or at least it has to be from now on, as there
are
just too many of those and there are more to come. This trend started with Websense detecting an IE 0day (not really IE - WMF) used in-the-wild by spyware, to infect users. "Responsible disclosure" is important, but when it takes so long to
get a
response or a fix with "Irresponsible vendors", and with so much money
to
be made by not disclosing vulnerabilities at all - it is becoming passe. New exploits don't need to be gleamed from patches or feared in full disclosure. Someone just pays for a 0day.. it's their business
and
they invest in it. So: 1. Lots more coming. 2. Please call it a 1-day if it's full disclosure mode, and 0day if it has been seen in-the-wild. The motivation has now moved from "let's be responsible" or "let's
have
fun" to "let's make money" or "let's stop waiting and be mocked by irresponsible vendors". This is not about everybody, it's about how
things are.
Even idefense and zdi can't pay enough when compared with people who
make
money from what the 0day gives them - exploited users and a money
making
botnet. Thanks, Gadi.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yet another 0day for IE Gadi Evron (Sep 19)
- Re: Yet another 0day for IE Gadi Evron (Sep 19)
- Re: Yet another 0day for IE Bill Stout (Sep 23)
- Re: Yet another 0day for IE (Disabling Javascript no longer a fix) Bill Stout (Sep 24)
- ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)] Gadi Evron (Sep 24)
- Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)] Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Sep 25)
- Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)] Gadi Evron (Sep 25)
- Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)] Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Sep 25)
- Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)] Bojan Zdrnja (Sep 25)
- Re: Yet another 0day for IE Bill Stout (Sep 23)
- Re: Yet another 0day for IE Gadi Evron (Sep 19)
- Re: Yet another 0day for IE (Disabling Javascript no longer a fix) Nick FitzGerald (Sep 24)
- Re: Yet another 0day for IE Ronald MacDonald (Sep 25)