dcsimg
Page 16 of 17 FirstFirst ... 614151617 LastLast
Results 151 to 160 of 165

Thread: ** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

  1. #151
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well, he would say that wouldn't he. But, if it were true, why would MS issue the patch out of schedule?

    They must be totally embarassed that a third party provided a fix before they did

    I think that Tiger~ has a good point a few posts above. How many machines have already been compromised?

    Will your anti-malware pick up the payloads whatever they might have been?

    Sure, some AVs were picking up attempted attacks before the patch, but how many did they miss?


  2. #152
    Senior Member
    Join Date
    Oct 2003
    Posts
    707
    But, if it were true, why would MS issue the patch out of schedule?
    [1]
    Microsoft originally planned to release the update on Tuesday, Jan. 10, 2006, as part of its regular monthly release of security bulletins, after testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.
    [1]
    Microsoft Releases Security Update to Fix Vulnerability in Windows

    ....
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

  3. #153
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.
    Uh huh. And what about customer sentiment about other releases being critical to release earlier??

    This makes it sound like this is the only one that customers/consumers were concerned about.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #154
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    This all just seems like a feeble attempt at managing an embarrasing public relations situation...and hence all the downplaying of this vulnerability. Which again is totally and utterly irresponsible by MS.

    Nihil/Tiger: Frightening prospects...thousands/hundreds of thousands of PCs infected prior to patch release and especially concernful given the 2nd round of exploit code FrSIRT posted that can morph in ways to avoid AV sigs.............sigh.

    Those of us responsible for more than a couple computers could be in store for many weeks (months?) of responding to 'strange' incidents.

  5. #155
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Those of us responsible for more than a couple computers could be in store for many weeks (months?) of responding to 'strange' incidents.
    That _should_ be your normal stance. I look every day for abnormal traffic and activity.... ISC are asking for people who noticed this exploit before Dec. 1... That's a little scarey.... Time to take another look through the logs....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #156
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by Tiger Shark
    That _should_ be your normal stance.
    Oh I know...and it is. My statement had to do with all the machines that got infected prior to signatures were released and also in response to that same SANS statement.

    Like I said earlier, any machines infected with that 2nd set of exploit code (the one that can morph) may never be detected...well unless they become very _chatty_ or attempt to use non-standard ports.

    Anyone find any infected machines that had listening ports on any non standard ports? Maybe we could scan our machines for these. Maybe I'll grab some of the sploits and intentially infect a couple machines and scan them. If I find anything I'll share. Let's share intel here...

  7. #157
    Member Gir's Avatar
    Join Date
    Sep 2002
    Posts
    39
    Ok, this is a lil late and a tad off topic. I know that a .wmf with a changed extention will normally be translated and cause issues in general but does it affect firefox.
    The answer to all how to questions: Very carefully with a large stick.

    \"Dogs f***ed the Pope. No fault of mine.\" Hunter S. Thompson

  8. #158
    Junior Member
    Join Date
    Jul 2005
    Posts
    26

    Test Files

    I think what's very important to note is that DEP in some cases can SEEM like it saves unprotected systems from this exploit. This is because when one of these files is SERVED via the Internet, it requires RUNDLL32.EXE to help launch the exploit ("In some cases, there are MANY Payloads Possible") so DEP can sense this and stop this, however IF one of these files somehow make it to your hard drive, on uprotected systems, they can LAUNCH without the need of RUNDLL32.exe.

    Some may ask "Well How could they make it to the hard drive?", the simple answer is via some kind of Download, for example contained in a .zip or .rar file.

    If in fact this happened, the simple ACT of looking at the files contained in the folder which they were located in ("On an uprotected system") can/could launch them, and there is NO requirement for thumbnail view to be on for this to happen.

    This is why it is so important to test on unprotected systems both On-Line and Offline.

    These test files show this:

    http://www.antionline.com/showthread...hreadid=273053
    Where Black, Gray and White Hats Unite to help protect YOU from current and future Exploits http://testing.OnlyTheRightAnswers.com

  9. #159
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    We may not be out of trouble on this yet gang, this was just published at SAN's:

    Published: 2006-01-09,
    Last Updated: 2006-01-09 18:27:08 UTC by William Salusky (Version: 1)

    We had hoped the chapter on WMF exploits had finally been closed, pending the patching of countless millions of vulnerable workstations of course. However, today we were forwarded a Bugtraq disclosure of two additional functions vulnerable to memory corruption attack within the Microsoft graphics rendering engine. The flaw reportedly affects the 'ExtCreateRegion' and 'ExtEscape' functions and while there has been no current proof of concept exploit/DoS code publicly released we will be watching this issue closely.

    reference: http://www.securityfocus.com/bid/16167 (Sorry, you have to cut/paste).


    Cheers:
    DjM

  10. #160
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Gir, in response to your post:
    Originally posted here by Gir
    Ok, this is a lil late and a tad off topic. I know that a .wmf with a changed extention will normally be translated and cause issues in general but does it affect firefox.
    Third post of this MASSIVE thread:
    Originally posted here by Deeboe
    According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file.
    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •