Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: New IE exploit for unpatched vuln

  1. #1
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534

    Exclamation New IE exploit for unpatched vuln

    http://www.theregister.co.uk/2005/11/22/ie_exploit/
    Hackers have created a potent exploit for a six-month old vulnerability in Internet Explorer which was previously believed to be only a Denial of Service risk. A fresh exploit posted on computerterrorism.com proves that the security bug can be exploited to gain system access, even on systems running Windows XP with Service Pack 2. The flaw stems from a failure by IE to properly handle requests to the window() object.

    Successful exploitation involves tricking a Windows user running IE into visiting a maliciously constructed website contain hostile JavaScript code. Users of both IE 5.5 and 6.x are potentially at risk. "Currently, the only way to protect against exploitation of this vulnerability is by disabling active scripting or by using another browser," said Thomas Kristensen, CTO of security notification firm Secunia.

    Microsoft's holding statement on the issue can be found here.
    http://www.microsoft.com/technet/sec...ry/911302.mspx
    This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
    Yeah.. it's all the evil hackers fault .. it's known for atleast 5 months and still unpatched
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  2. #2
    But then again any excuse will do for MicroSoft wouldn't it..
    I mean they carn't say hey it's all our fault that our programmers are shiat.
    Even though we knew about this vuln for so many months why not just blame it on those evil hackers...


    i'm drunk were's that drunk thread at..

  3. #3
    I will guarantee you that Microsoft will definetly blame it on the Hackers. Without the "evil Hackers" the World wouldn't know that this whole exists since six Months.

  4. #4
    Yeh, this is slick: was only a DOS, now a remote code execution risk. sigh

    For you Snort users, BleedingSnort posted a sig. I've deployed it...just note that even reading a news article or CVE link (http://www.cve.mitre.org/cgi-bin/cve...=CAN-2005-1790) about it will trigger an alert because of the regular expression it's using to detect window ( ).

    http://www.bleedingsnort.com/cgi-bin...er?view=markup

  5. #5
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I think that the term "vulnerability" is too widely abused.

    "vulnerability
    A weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security policy.
    "
    - NCSC-TG-004 Glossary of Computer Security Terms

    This for instance is not a vulnerability. Why not? Because there is no violation of the system's security policy. All this does is run code defined by an external entity (which the configuration allows) with the rights granted to it by the user.

    Where is the vulnerability? How is the security policy violated?

    This is simply a case of poor verification, in not determining if the security policy was adequently reflected in the system's security policy. That said, there is no violation and consequently no vulnerability.

    cheers,

    catch

  6. #6
    Nice job, catch. You were much more -- ahem -- diplomatic than I may have been.

    The exploit code was only just released, so Microsoft isn't trying to blame the "evil hackers." They are trying to encourage responsible disclosure. Had Microsoft had the opportunity to evaluate the exploit, they may have been able to more effectively address the issue.

    As it is, the computerterrorism.com folks posted it and everyone has to react. Not the most desirable result. Check the links, all the updated dates indicate yesterday or today.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi catch

    Where is the vulnerability? How is the security policy violated?
    with the rights granted to it by the user
    I think that you answered your own question there?

    The "vulnerability" lies with the users rather than the system. In a way Microsoft are caught in a cleft stick? they dumb down their systems to maximise their revenue, and that makes them available to people who have little idea, and even less inclination to learn.

    This is simply a case of poor verification, in not determining if the security policy was adequently reflected in the system's security policy
    That bit can be laid at Microsoft's door.


  8. #8
    Banned
    Join Date
    May 2003
    Posts
    1,004
    The "vulnerability" lies with the users rather than the system.
    Exactly, the users failed to map the system's security policy to their own requirements.

    That bit can be laid at Microsoft's door.
    I believe this is addressed in the same manner... to do otherwise is like blaming the auto maker for a car crash because the driver decided against using the breaks. Microsoft makes the tools availible, the user opted to not use them/use them correctly.

    Microsoft provides a usable system. Individual system owners must determine their own security requirements, their failure to do so is exactly that... their failure.

    I find it interesting that people how look to blame the OS for allowing the users to do dumb things are typically against the TCPA because it "takes away user choice".

    People who blame the users for requiring a security that they choose to not implement are in favor of the TCPA because it simplifies and expands the security capabilities.

    cheers,

    catch

    PS. Got a job for me yet Nihil?

    Maybe I should talk to Microsoft, they advertise here... and I have been a voice of support for them here for years... prolly far more effective than some banners.

  9. #9
    Originally posted here by Chickenpox2004
    I will guarantee you that Microsoft will definetly blame it on the Hackers. Without the "evil Hackers" the World wouldn't know that this whole exists since six Months.
    this is what we call NET ECOLOGY...

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Microsoft makes the tools availible, the user opted to not use them/use them correctly.
    This is where I do criticise Microsoft. My reason is that I can show you old DOS and early Windows manuals that shipped with the software. They are actually quite comprehensive..............just compare them to what ships with Windows XP today. They can use the help system, I hear you say?...................err no, it is certainly not user friendly and would take a long time for a beginner to find their way around.

    I take the view that if you are going to sell a product to idiots, you should at least have the decency to include an idiot's guide in the box. It is not really a question of Users opting to do anything, at the moment I do not believe that 90% of domestic users are aware that they have options.

    Microsoft provides a usable system. Individual system owners must determine their own security requirements, their failure to do so is exactly that... their failure.
    In a corporate environment I would agree entirely, but the majority of problems are found in the domestic environment which is the virtual "biological reservoir" for scumware. I believe that MS have a duty of care to encourage users to think about it. On the contrary, however, MS have even pursued a policy of shipping software with everything "turned on" presumably to cut their helpdesk costs?

    Hey, if you went into a local bar and asked Joe Public what he thought of IIS, he would probably freak out because he thought you meant IRS?

    Unfortunately we live in a "domestic appliance" society...............people go to the electrical store, buy a tv, take it home, plug it in..............it AUTOTUNES and within a few minutes it is good to go. All they have to do after that is change the batteries in the remote? They look on computers in the same way.

    OK, this will probably resolve itself in 20 years time because the next generation will all have had computer training. Right now, we have computer illiterates going out and buying them as if they were refrigerators?

    Obviously, my comments are directed at the domestic market side of the industry.

    PS. Got a job for me yet Nihil?
    I have sent a couple of e-mails to cronies in the South, will probably get some feedback early next week

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •