Liu Die Yu findings verified, details

From: Thor Larholm (thor_at_PIVX.COM)
Date: 09/11/03

  • Next message: Felix Yan: "Microsoft Numbering System"
    Date:         Wed, 10 Sep 2003 16:17:57 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Some of you may find that Lius webpage at safecenter.net/liudieyu is
    inaccessible - this is caused by DNS problems. My USA based machines
    resolve safecenter.net to 64.85.73.31 which doesn't know about any
    liudieyu, while my EU based machines resolve safecenter.net to
    66.70.10.15 where you can find his site. Interested people should change
    their hosts file.

    Since Liu is testing on IE6 Gold (6.0.2600.0000.xpclnt_qfe.021108-2107),
    some of the vulnerabilities he has found are long patched, while others
    still exist in IE6 SP1.

    Some are patched at an unknown time without notice in any security
    bulletin, others are explicitly patched by the latest cumulative IE
    patch, MS03-032, which can be found at

    http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

    Works:
    ======
    WsOpenFileJPU, cross-domain scripting
    HiJackClick: 1+1=2, pointing mouseclicks on non-IE windows, adding to
    favorites
    NAFjpuInHistory, cross-domain scripting
    WsFakeSrc, cross-domain scripting
    NAFfileJPU, cross-domain scripting
    BackMyParent2:Multi-Thread version, cross-domain scripting
    RefBack, cross-domain scripting

    Doesn't work:
    =============
    Findeath, patched by MS03-032
    LinkillerJPU, patched by MS03-032
    WsBASEjpu, specifically patched by MS03-032
    BodyRefreshLoadsJPU
    WsOpenJpuInHistory

    The impact of the working cross-domain scripting vulnerabilities is
    known for ages, cookie theft, identify theft, stealing sensitive
    information such as banking data and, once you get a window object
    pointed at a local zone, local file reading and command execution.

    Hijacking mouse events for IE and routing them to non-IE/system windows
    is sure to reveal several new vulnerabilities or variations in the time
    to come.

    With these 7 new, the total number of publicly known unpatched
    vulnerabilities in IE is now at 30:

    http://www.pivx.com/larholm/unpatched/

    Regards
    Thor Larholm
    PivX Solutions, LLC - Senior Security Researcher

    ----
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    ----
    

  • Next message: Felix Yan: "Microsoft Numbering System"