Full Disclosure mailing list archives
Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032
From: "Dimitri Limanovski" <dlimanov () sct com>
Date: Wed, 10 Sep 2003 10:43:45 -0400
I agree that firewall is not the place to catch this. Any properly configured HIPS should be able to catch this or nay other similar-configured exploit without any issues though. We have OKENA and simple rule to prohibit (or prompt) program executions from within IE has stopped this (and dozen of others) exploit from working. FWIW, McAfee caught it as well, identifying it as Exploit-CodeBase but I'm sure this can be easily bypassed with little coding. Thanks, Dimitri |---------+--------------------------------------> | | Nathan Wallwork | | | <owen () pungent org> | | | Sent by: | | | full-disclosure-admin@lists| | | .netsys.com | | | | | | | | | 09/09/2003 04:17 PM | | | | |---------+--------------------------------------> >--------------------------------------------------------------------------------------------------------------| | | | To: Drew Copley <dcopley () eeye com> | | cc: ADBecker () chmortgage com, "'GreyMagic Software'" <security () greymagic com>, "'Bugtraq'" | | <bugtraq () securityfocus com>, <full-disclosure () lists netsys com>, <http-equiv () excite com>, | | "'NTBugtraq'" <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>, "'Microsoft Security Response Center'" | | <secure () microsoft com>, <vulnwatch () vulnwatch org> | | Subject: [Full-disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 | >--------------------------------------------------------------------------------------------------------------| On Mon, 8 Sep 2003, Drew Copley wrote:
The only sure way to detect this, I already wrote about [to
Bugtraq]. That
is by setting a firewall rule which blocks the dangerous mimetype
string
[Content-Type: application/hta]. Everything else in the exploit can
change. Just so we are clear, the firewall wouldn't tbe he right place to catch this because that string could be split by packet fragmentation, so you'd need to look for it at an application level, after the data stream has been reassembled. Of course, if anyone thinks it is easier to protect their browser with a proxy than fix the browser they've got other issues. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032, (continued)
- Re: [VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thomas Kristensen (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 ADBecker (Sep 08)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nick FitzGerald (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Thor Larholm (Sep 08)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Nathan Wallwork (Sep 09)
- (Patch Updated) Microsoft Security Bulletin MS03-032 Jim (Sep 09)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 10)
- Re: BAD NEWS: Microsoft Security Bulletin MS03-032 Crist J. Clark (Sep 12)
- RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Drew Copley (Sep 12)
- Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Dimitri Limanovski (Sep 10)