March patches for Microsoft
Results 1 to 7 of 7

Thread: March patches for Microsoft

  1. #1
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675

    March patches for Microsoft

    Patch 'em if you got 'em

    Microsoft released its March security bulletin yesterday, patching seven vulnerabilities--six of which allowed remote code execution via Microsoft Office.

    The issues affecting Office allow for a 'drive-by download' whereby a user simply visits a malicious webpage with Internet Explorer to become affected...
    Source

    cheers
    Connection refused, try again later.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Falling a little behind eh Relyt.. :P.. These came out Tuesday... and lead to me spending like 21 or 22 hours at the office ... did I saw I love my new job..

    Anyways good heads up for anyone that hasn't patched yet.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Originally posted here by HTRegz
    Hey Hey,

    Falling a little behind eh Relyt.. :P.. These came out Tuesday... and lead to me spending like 21 or 22 hours at the office ... did I saw I love my new job..

    Anyways good heads up for anyone that hasn't patched yet.

    Peace,
    HT
    Hey HT

    "did I say I love my new job.." Do we detect a tad bit of.... Hope you got the overtime $$$ for those hours.

    Seems I've lost a couple days somewhere (need to pull my head out of my buttnix once in awhile). Guess I should push a button, throw a level, or do something to update as well. That's so darn entertaining to watch! Better make some coffee and get a donut or three.

    cheers
    Connection refused, try again later.

  4. #4
    Banned
    Join Date
    Mar 2006
    Posts
    27
    Notice how they said "with Internet Explorer". People should realize it already and switch to a better web browser like Firefox. If I could get rid of IE I would have done it along time ago.

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Zaldy
    Notice how they said "with Internet Explorer". People should realize it already and switch to a better web browser like Firefox. If I could get rid of IE I would have done it along time ago.
    Go back and read the Advisory... they mention IE because it's one possible point of attack, however once you read the details you'll see that there are many points of attack and it's not even browser related..

    Relyt: Actually no sarcasm at all.. I really do love it.. and I had a great time working through the night.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Banned
    Join Date
    Mar 2006
    Posts
    27
    Microsoft's Internet Explorer browser crashes when attacked through a new unpatched vulnerability, security companies warned Friday.

    The zero-day bug occurs within the "mshtml" library when a malformed HTML tag with an abnormally large number of script handlers is fed to the browser. According to the researcher who posted the initial description to the Bugtraq security mailing list, attackers can easily crash IE by flooding its buffer.

    The researcher, Michal Zalewski, also released proof-of-concept code that crashes the latest IE release on a fully-patched edition of Windows XP SP2.

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Zaldy
    Microsoft's Internet Explorer browser crashes when attacked through a new unpatched vulnerability, security companies warned Friday.

    The zero-day bug occurs within the "mshtml" library when a malformed HTML tag with an abnormally large number of script handlers is fed to the browser. According to the researcher who posted the initial description to the Bugtraq security mailing list, attackers can easily crash IE by flooding its buffer.

    The researcher, Michal Zalewski, also released proof-of-concept code that crashes the latest IE release on a fully-patched edition of Windows XP SP2.
    What's your point?? It was actually Thursday... so instead of relying on internet news sites and spouting informatio they give you.. why not stay in the loop yourself.

    If you did, you'd see that there were several follow ups pointing out that this is nothing new and that Firefox, Opera and even Safari (that's right you holier than thou Mac users) are vulnerable to many similar things and that browsers themselves are bound to contain problems..

    From H.D. Moore (Metasploit Creator)
    Firefox also has fun bugs like this :-) Safari too. And Opera. Try this for kicks: use the metasploit firefox_queryinterface exploit against the latest version of Safari, looks where it crashes, follow the code back to its OSS lair...Browser exploits are so much fun - choose your own return address in IE by loading a COM object that ISN'T marked safe for scripting - the DLL still gets mapped to its address space.

    Nothing quite like an application where you can jump anywhere within a 32-bit address space and still get code execution 50% of the time.
    Browser bugs are convoluted and painful because of how much of the environment is controlled by the user - it doesn't matter who made the browser, all it takes is a free'd heap pointer being reused to gain another shell. Just because IE is still exploitable doesn't mean that the rest of the browsers are safe :0)

    -HD



    PS. The KJS unicode bug mentioned above probably isn't exploitable, but many out-of-memory conditions can be. Check out GaŽl Delalleau's CSW05 talk for some cool tricks. OOM bugs can really suck on x64.




    PPS. Go see V for Vendetta.





    PPPS. Latest Firefox -the APPLET tag with an interesting SRC parameter is also quite fun - debugging a crash 100 calls deep into the JVM is interesting to wrap your brain around.
    I'm really getting tired of people who come along with their "Microsoft sucks because of this" attitude... that really have no ****ing clue (pardon the language).... you didn't even bother to post a source for your comments... they were obviously a CnP from somewhere.. go back to your 'mommy's teet'

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •