Fwd: verizon vs m$

[Ven Ted <v3nt3d () googlemail com>]

---------- Forwarded message ----------
From: Ven Ted <v3nt3d () googlemail com>
Date: Mon, Dec 6, 2010 at 8:31 PM
Subject: Re: [Full-disclosure] verizon vs m$
To: John Lightfoot <jlightfoot () gmail com>


 "the payload can create a web server listening on any port on the loopback
interface, even as a limited user at low integrity"

I'm only going from what the paper says - but that indicates to me that you
create a web server from protected mode, creating an intranet server that
didn't previously exist, so you're not pwning anyones intranet, and you
don't need to already be running as a medium integrity process to serve the
malicious intranet page.


On Mon, Dec 6, 2010 at 8:27 PM, John Lightfoot <jlightfoot () gmail com> wrote:

> <snip>
>
> Once the initial remote exploit has been used to execute arbitrary code
>
> </snip>
>
>
>
> I think Thor’s point is if your Intranet is pwned such that it’s hosting
> remote exploits, you’re already screwed.
>
>
>
> It’s a configuration issue, anyway, so it’s easy enough to mitigate
> against.  My question is why did MS choose to disable Protected Mode by
> default in the Local Internet Zone?  I’ve only run across one application
> that won’t run in Protected Mode, it seems like it should be on by default
> for all zones.
>
>
>
>
>
> On Mon, Dec 6, 2010 at 1:49 AM, Thor (Hammer of God) <thor () hammerofgod com>
> wrote:
>
> I don't understand how Dan arrived at "Researchers bypass Internet Explorer
> Protected Mode" for the article title.  Protected Mode isn't being bypassed
> at all - the "researchers that figured out a reliable way to bypass the
> measure" apparently just noticed that Protected Mode is disabled by default
> in the Local Intranet Zone.
>
> Is this something you are concerned about?  This would obviously only be
> exploitable by accessing sites on one's own intranet by specifically using
> intranet nomenclature (and trusted sites, but the user has to add those).
>  Also, the article (or the researchers) are incorrect about the default
> settings for the Intranet zone - it's Medium-low, not Medium.   If the
> problem one is trying to fix is based on attackers compromising intranet
> sites and then posting code for unpatched vulnerabilities that would still
> end up only running in the user context, then you've got much bigger
> problems, no?
>
> I'm just wondering why you are brining attention to the article, or really,
> why it was written in the first place.
>
> t
>
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk [mailto:
> full-disclosure-bounces () lists grok org uk] On Behalf Of Georgi Guninski
> Sent: Sunday, December 05, 2010 1:26 PM
> To: full-disclosure () lists grok org uk
> Subject: [Full-disclosure] verizon vs m$
>
> in a world like this, verizon kills exploder bugs:
>
> http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/
>
> http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf
>
> the language doesn't seem passionate:
> -----
> Finally, Microsoft and other software vendors should clearly document which
> features do and do not have associated security claims. Clearly stating
> which features make security claims, and which do not, will allow informed
> decisions to be made on IT security issues.
> -----
>
> lol
>
> --
> joro
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/