Full Disclosure mailing list archives
RE: new internet explorer exploit (was new worm)
From: "Drew Copley" <dcopley () eeye com>
Date: Tue, 30 Mar 2004 10:59:41 -0800
-----Original Message----- From: Berend-Jan Wever [mailto:SkyLined () edup tudelft nl] Sent: Monday, March 29, 2004 3:35 PM To: full-disclosure () lists netsys com; bugtraq () securityfocus com Subject: Re: new internet explorer exploit (was new worm) ----- Original Message ----- From: "Drew Copley" <dcopley () eeye com>Yeah. It is a zero day worm, and it is very notable as such. I can not recall a previous zero day worm. (AV is not myjob, but I dotry and follow zero day.) Hence, IE has birthed us the first zero day worm. We should be thankful it was not coded better, because it could have caused some really serious problems. A hundred thousand systems is really a low target when you consider 94% of all browsersbeing used areIE and the internet population is around the 400 million figure.Just be thankfull the guy didn't take the time to find a 0day xss issues in webbased e-mail services like hotmail/yahoo/etc... I still wonder why these have not been exploited by email virii: They're not that hard to find (check your archives) and it's just too easy to code a small worm in javascript for these sites (I know from experience).
Yeah, we have one with Yahoo in pending. Though, it was a bit difficult to find. (It has not be added to our upcoming advisory list, yet.) In fact, I am good friends with several of the guys who found the last ones... Dror Shalev and http-equiv. (Never really talked to Greymagic, just by chance, I suppose.) These are top bugfinders, though, and they are very skilled people. I do not dismiss the skills of any of the people who have found these bugs... but I do believe there are more in there.
The only propagation limiting problem is that all trafic goes through centralized servers which can be easily updated (check your archives for site-specific responds times). But if you combine it with your regular e-mail worm techniques, you can be sure propagation continues after that fix.
Right, I find these security holes extremely alarming. In fact, I accidentally flamed a bug finder once because I thought he posted Yahoo zero day... and I am known as a guy that is patient and apologetic for those who post zero day without going to the vendor first. (Because I know all too well, for one thing, that they don't have to post it at all.) And, I know what it feels like to have this Yahoo zero day in my pocket here. It is a dangerous thing. That's why this business is so much funner then writing database programs.
Cheers, SkyLined
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- AW: new internet explorer exploit (was new worm), (continued)
- AW: new internet explorer exploit (was new worm) Ron Stiemer (Mar 29)
- Message not available
- Re: new internet explorer exploit (was new worm) Nick FitzGerald (Mar 30)
- RE: new internet explorer exploit (was new worm) Drew Copley (Mar 29)
- Re: new internet explorer exploit (was new worm) Berend-Jan Wever (Mar 29)
- Re: RE: new internet explorer exploit (was new worm) Valdis . Kletnieks (Mar 29)
- RE: [inbox] Re: RE: new internet explorer exploit (was new worm) Exibar (Mar 29)
- RE: new internet explorer exploit (was new worm) Thor Larholm (Mar 29)
- Re: RE: new internet explorer exploit (was new worm) Tim (Mar 29)
- Re: new internet explorer exploit (was new worm) Jelmer (Mar 30)
- Re: new internet explorer exploit (was new worm) - - (Mar 30)
- RE: new internet explorer exploit (was new worm) Drew Copley (Mar 30)