funsec mailing list archives
Re: MSIE 6/7/8 unpatched vulnerability confirmed
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Fri, 15 Jan 2010 12:08:21 +0200 (EET)
Very good points and references. I'll reply later today. MSIE vulnerability is Extremely Critical SA38209 now: http://secunia.com/advisories/38209/2/ Juha-Matti Paul Ferguson [fergdawgster () gmail com] kirjoitti:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Jan 15, 2010 at 12:51 AM, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:http://www.microsoft.com/technet/security/advisory/979352.mspx This is the 0-day vulnerability used in Google China attack.Minor Correction: This is the 0-Day used in *some* of the Chinese targeted attacks. This appears to be a multi-pronged attack -- other organizations in the past week or so have also been targeted via e-mail with malicious attachments. I would be hard-pressed to say that *all* of the targeted attacks *only* employed the IE heap-spray 0-Day vulnerability/exploit, since it appears that some of the other targeted organizations were targeted with e-mail containing malicious attachments, e.g. the law firm (Gipson Hoffman & Pancione) that is suing China over the CyberSitter code theft being used in Green Dam: http://blogs.zdnet.com/BTL/?p=29533 http://www.theregister.co.uk/2010/01/15/cybersitter_law_firm_attack/ Also, we have seen these same tactics used (malicious attachments in e-mail disguised as legitimate communiqués) before when targeting Tibetan support groups. It is quite possible (although not all the details are yet known) that this was also recently used against a local (to me) Stanford student is a regional coordinator of Students for a Free Tibet: http://www.mercurynews.com/ci_14195105 So, it is *quite possible* that this was a series of attacks, where the IE 0-Day discovered by McAfee was used on *some* of the targeted victims and others were compromised by malicious e-mail attachments we have seen several undetected, booby-trapped .PDF exploits in the past week, including this one described this morning over at the SANS Internet Storm Center: http://isc.sans.org/diary.html?storyid=7984 And also Julia @ FireEye has this excellent post up tonight: http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html I think it is dangerous, from a defense perspective, to say "This is responsible for that" when there are clearly several different things happening here -- instead of looking for quick explanation, everyone should step back and observe that there are several critical paths to compromise at work here. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLUDgDq1pz9mNUZTMRAq6UAJ9LTD94zBMBm/1XpiH89PnO/Ok45gCdEhWq nDMfkF9noJ91vueOk8Bj6kI= =rfh4 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- MSIE 6/7/8 unpatched vulnerability confirmed Juha-Matti Laurio (Jan 15)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Paul Ferguson (Jan 15)
- Chinese attacks Gadi Evron (Jan 15)
- <Possible follow-ups>
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Juha-Matti Laurio (Jan 15)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Larry Seltzer (Jan 15)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Juha-Matti Laurio (Jan 15)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Juha-Matti Laurio (Jan 20)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Juha-Matti Laurio (Jan 20)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Paul Ferguson (Jan 20)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Larry Seltzer (Jan 20)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Paul Ferguson (Jan 20)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Juha-Matti Laurio (Jan 21)
- Re: MSIE 6/7/8 unpatched vulnerability confirmed Paul Ferguson (Jan 15)