Ah, oo, uh, ie.

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Having some fun reading the MSRC weblog. Who doesn't? I want to have
an automated thing scrape it out of the web page and read it out to me
with a sultry female British accent.  That's not weird, right? I could
hook it up to every security weblog out there and have a really
amusing radio station.

Anyways, today you can read some funny things there, if you are in the
right mindset. Or have them read to you. Whatever.

Mike Nash: Hey, we've, uh, decided to throw a major change to how IE
works with regards to ActiveX in with a security patch this month. We
have an EXTRA OPTIONAL patch you can use to disable the change in
behavior.

I wonder if Mike's been talking to one of the DCOM designers. This
sounds like something they'd think up.

DCOM Designer: "Yo, so the server can call RpcImpersonateClient(), but
not if the client has called SetCloaking("Definitely Not"). but if the
registry has the "Cloaking: Not such a good thing" dword set to 1 then
it still can. Clear?"
ProgrammersProgrammersProgrammers: "Sure!"

Haha. That API cracks me up every time.

Anyways, I thought I'd point out a few of the funnier in-jokes.
Mike Nash: """
We?ve also been made aware of some third party solutions being made
available for this vulnerability. Some of these solutions make
modifications to Windows itself to bypass the attack vector of the
vulnerability.  Of course, while the IE team is working on an update
to address the problem, we certainly recommend a defense in depth
strategy that involves third party tools such as AntiVirus or IDS/IPS
solutions.  However we cannot recommend third party solutions that
modify the way the product itself operates.
"""

What does an AntiVirus or IDS/IPS do again? Oh right, MODIFY THE WAY
THE PRODUCT OPERATES. And not entirely effectively. In our Unethical
Hacking class this week we'll be bypassing AntiVirus with the new IE
0day (for fun and profit). I don't think we'll bother with NIDS,
because I don't think NIDS can handle gzip+chunk encoded web pages
anyways.

The main funny think MSRC said to me this week was that they've been
tracking down web sites that have the exploit on them, and shutting
them down with law enforcement. Who cares, when you can get hit by a
targeted attack? Not every attack is just blindly smacking down random
grandmothers, although if you read MSRC, the sultry female british
accent would quickly convince you that was the case.

- -dave




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFELF55tehAhL0gheoRAldPAJwLUA/AaYfSyQ80c/etMMYvw9jeAgCdEPJQ
I6ea0Jg+G8qf/riHD9RZSKM=
=gU0i
-----END PGP SIGNATURE-----