[Full-Disclosure] RE: new internet explorer exploit (was new worm)
From: Drew Copley (dcopley_at_eeye.com)
To: "Berend-Jan Wever" <SkyLined@edup.tudelft.nl>, <firstname.lastname@example.org>, <email@example.com> Date: Tue, 30 Mar 2004 10:59:41 -0800
> -----Original Message-----
> From: Berend-Jan Wever [mailto:SkyLined@edup.tudelft.nl]
> Sent: Monday, March 29, 2004 3:35 PM
> To: firstname.lastname@example.org; email@example.com
> Subject: Re: new internet explorer exploit (was new worm)
> ----- Original Message -----
> From: "Drew Copley" <firstname.lastname@example.org>
> > Yeah. It is a zero day worm, and it is very notable as such.
> > I can not recall a previous zero day worm. (AV is not my
> job, but I do
> > try and follow zero day.)
> > Hence, IE has birthed us the first zero day worm.
> > We should be thankful it was not coded better, because it could have
> > caused some really serious problems. A hundred thousand systems is
> > really a low target when you consider 94% of all browsers
> being used are
> > IE and the internet population is around the 400 million figure.
> Just be thankfull the guy didn't take the time to find a 0day
> xss issues in
> webbased e-mail services like hotmail/yahoo/etc... I still
> wonder why these
> have not been exploited by email virii: They're not that hard
> to find (check
> your archives) and it's just too easy to code a small worm in
> these sites (I know from experience).
Yeah, we have one with Yahoo in pending. Though, it was a bit difficult
to find. (It has not be added to our upcoming advisory list, yet.)
In fact, I am good friends with several of the guys who found the last
ones... Dror Shalev and http-equiv. (Never really talked to Greymagic,
just by chance, I suppose.)
These are top bugfinders, though, and they are very skilled people. I do
not dismiss the skills of any of the people who have found these bugs...
but I do believe there are more in there.
> The only propagation
> limiting problem
> is that all trafic goes through centralized servers which can
> be easily
> updated (check your archives for site-specific responds
> times). But if you
> combine it with your regular e-mail worm techniques, you can be sure
> propagation continues after that fix.
Right, I find these security holes extremely alarming. In fact, I
accidentally flamed a bug finder once because I thought he posted Yahoo
zero day... and I am known as a guy that is patient and apologetic for
those who post zero day without going to the vendor first. (Because I
know all too well, for one thing, that they don't have to post it at
And, I know what it feels like to have this Yahoo zero day in my pocket
here. It is a dangerous thing.
That's why this business is so much funner then writing database
Full-Disclosure - We believe in it.