[Full-Disclosure] RE: new internet explorer exploit (was new worm)
From: Drew Copley (dcopley_at_eeye.com)
Date: 03/30/04
- Previous message: Drew Copley: "RE: [Full-Disclosure] RE: new internet explorer exploit (was new worm)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Berend-Jan Wever" <SkyLined@edup.tudelft.nl>, <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com> Date: Tue, 30 Mar 2004 10:59:41 -0800
> -----Original Message-----
> From: Berend-Jan Wever [mailto:SkyLined@edup.tudelft.nl]
> Sent: Monday, March 29, 2004 3:35 PM
> To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
> Subject: Re: new internet explorer exploit (was new worm)
>
> ----- Original Message -----
> From: "Drew Copley" <dcopley@eeye.com>
> > Yeah. It is a zero day worm, and it is very notable as such.
> >
> > I can not recall a previous zero day worm. (AV is not my
> job, but I do
> > try and follow zero day.)
> >
> > Hence, IE has birthed us the first zero day worm.
> >
> > We should be thankful it was not coded better, because it could have
> > caused some really serious problems. A hundred thousand systems is
> > really a low target when you consider 94% of all browsers
> being used are
> > IE and the internet population is around the 400 million figure.
>
> Just be thankfull the guy didn't take the time to find a 0day
> xss issues in
> webbased e-mail services like hotmail/yahoo/etc... I still
> wonder why these
> have not been exploited by email virii: They're not that hard
> to find (check
> your archives) and it's just too easy to code a small worm in
> javascript for
> these sites (I know from experience).
Yeah, we have one with Yahoo in pending. Though, it was a bit difficult
to find. (It has not be added to our upcoming advisory list, yet.)
In fact, I am good friends with several of the guys who found the last
ones... Dror Shalev and http-equiv. (Never really talked to Greymagic,
just by chance, I suppose.)
These are top bugfinders, though, and they are very skilled people. I do
not dismiss the skills of any of the people who have found these bugs...
but I do believe there are more in there.
> The only propagation
> limiting problem
> is that all trafic goes through centralized servers which can
> be easily
> updated (check your archives for site-specific responds
> times). But if you
> combine it with your regular e-mail worm techniques, you can be sure
> propagation continues after that fix.
Right, I find these security holes extremely alarming. In fact, I
accidentally flamed a bug finder once because I thought he posted Yahoo
zero day... and I am known as a guy that is patient and apologetic for
those who post zero day without going to the vendor first. (Because I
know all too well, for one thing, that they don't have to post it at
all.)
And, I know what it feels like to have this Yahoo zero day in my pocket
here. It is a dangerous thing.
That's why this business is so much funner then writing database
programs.
>
> Cheers,
> SkyLined
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Drew Copley: "RE: [Full-Disclosure] RE: new internet explorer exploit (was new worm)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
