Re: MSIE 6/7/8 unpatched vulnerability confirmed

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

Very good points and references. I'll reply later today.
MSIE vulnerability is Extremely Critical SA38209 now:
http://secunia.com/advisories/38209/2/

Juha-Matti

Paul Ferguson [fergdawgster () gmail com] kirjoitti: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Jan 15, 2010 at 12:51 AM, Juha-Matti Laurio
> <juha-matti.laurio () netti fi> wrote:
>
> > http://www.microsoft.com/technet/security/advisory/979352.mspx
> >
> > This is the 0-day vulnerability used in Google China attack.
>
> Minor Correction: This is the 0-Day used in *some* of the Chinese targeted
> attacks.
>
> This appears to be a multi-pronged attack -- other organizations in the
> past week or so have also been targeted via e-mail with malicious
> attachments.
>
> I would be hard-pressed to say that *all* of the targeted attacks *only*
> employed the IE heap-spray 0-Day vulnerability/exploit, since it appears
> that some of the other targeted organizations were targeted with e-mail
> containing malicious attachments, e.g. the law firm (Gipson Hoffman &
> Pancione) that is suing China over the CyberSitter code theft being used in
> Green Dam:
>
> http://blogs.zdnet.com/BTL/?p=29533
> http://www.theregister.co.uk/2010/01/15/cybersitter_law_firm_attack/
>
> Also, we have seen these same tactics used (malicious attachments in e-mail
> disguised as legitimate communiqués) before when targeting Tibetan support
> groups. It is quite possible (although not all the details are yet known)
> that this was also recently used against a local (to me) Stanford student
> is a regional coordinator of Students for a Free Tibet:
>
> http://www.mercurynews.com/ci_14195105
>
> So, it is *quite possible* that this was a series of attacks, where the IE
> 0-Day discovered by McAfee was used on *some* of the targeted victims and
> others were compromised by malicious e-mail attachments  we have seen
> several undetected, booby-trapped .PDF exploits in the past week, including
> this one described this morning over at the SANS Internet Storm Center:
>
> http://isc.sans.org/diary.html?storyid=7984
>
> And also Julia @ FireEye has this excellent post up tonight:
>
> http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html
>
> I think it is dangerous, from a defense perspective, to say "This is
> responsible for that" when there are clearly several different things
> happening here -- instead of looking for quick explanation, everyone should
> step back and observe that there are several critical paths to compromise
> at work here.
>
> $.02,
>
> - - ferg
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.3 (Build 5003)
>
> wj8DBQFLUDgDq1pz9mNUZTMRAq6UAJ9LTD94zBMBm/1XpiH89PnO/Ok45gCdEhWq
> nDMfkF9noJ91vueOk8Bj6kI=
> =rfh4
> -----END PGP SIGNATURE-----
>
>
> -- 
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawgster(at)gmail.com
>  ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.