Full Disclosure mailing list archives
Re: New IE sploit?
From: Stelian Ene <stelian.ene () gecadtech com>
Date: Mon, 27 Mar 2006 10:25:45 +0300
Bart.Lansing () kohls com wrote:
This will handle the announced sploit...assuming you do snort, courtesy of Bleeding-Snort: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities?view=markup
This will handle the specific variation used in that exploit, but blocking this completely is outside the scope of snort and most content scanners. I see that even text/plain mails talking about the bug are "cleaned" by major AVs. This is especially brain-dead behavior since all advisories clearly say email is not a vector. Due to the nature of JS, there are almost endless variations. Off the top of my head: - getElementById is not necessary; for example, use getElementsByName - checkbox/radio + createTextRange is not the only way of triggering the bug - infinite obfuscation using eval() - infinite obfuscation using document.write() _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New IE sploit? xyberpix (Mar 24)
- <Possible follow-ups>
- Re: New IE sploit? 0x80 (Mar 24)
- Re: New IE sploit? xyberpix (Mar 24)
- Re: New IE sploit? n3td3v (Mar 24)
- Re: New IE sploit? Juha-Matti Laurio (Mar 24)
- Re: New IE sploit? Bart . Lansing (Mar 24)
- Re: New IE sploit? Stelian Ene (Mar 26)
- Re: New IE sploit? Bart . Lansing (Mar 24)
- Re: New IE sploit? Juha-Matti Laurio (Mar 24)