Re: New IE sploit?

[Stelian Ene <stelian.ene () gecadtech com>]

Bart.Lansing () kohls com wrote:
> This will handle the announced sploit...assuming you do snort, courtesy
> of Bleeding-Snort:
>
> http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities?view=markup

This will handle the specific variation used in that exploit, but blocking this
completely is outside the scope of snort and most content scanners.
I see that even text/plain mails talking about the bug are "cleaned" by major
AVs. This is especially brain-dead behavior since all advisories clearly say
email is not a vector.
Due to the nature of JS, there are almost endless variations. Off the top of my
head:
- getElementById is not necessary; for example, use getElementsByName
- checkbox/radio + createTextRange is not the only way of triggering the bug
- infinite obfuscation using eval()
- infinite obfuscation using document.write()

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/