Re: Zero-day IE exploit...
From: Martin Spencer-Ford (tpwuk.dash.zero.one_at_ntlworld.com)
Date: 11/24/05
- Next message: Imhotep: "Re: Zero-day IE exploit..."
- Previous message: Ralph Wade Phillips: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- In reply to: karl levinson, mvp: "Re: Zero-day IE exploit..."
- Next in thread: Imhotep: "Re: Zero-day IE exploit..."
- Reply: Imhotep: "Re: Zero-day IE exploit..."
- Reply: Alun Jones: "Re: Zero-day IE exploit..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Nov 2005 00:47:48 GMT
karl levinson, mvp wrote:
> "Imhotep" <imhotep@nospam.com> wrote in message
> news:aYydnRf3V4PrSB7eRVn-uw@adelphia.com...
>
>>Karl Levinson, mvp wrote:
>>
>>
>>>"Imhotep" <imhotep@nospam.com> wrote in message
>>>news:fJmdnS3hCtRvJh7enZ2dnUVZ_sadnZ2d@adelphia.com...
>>>
>>>
>>>>I do not believe that there is real malicous code flouting arround for
>>>
>>>this,
>>>
>>>>this has been a known issue since May.....I believe MS has marked it as
>>>
>>>low
>>>
>>>>and as such did nothing about it....typical.
>>>
>>>You left out the reason why: "The vulnerability targeted by the exploit
>>>was originally announced in May as a stability issue resulting in the
>>>browser closing."
>>>
>>>There are tons of ways an attacker could cause IE or any other browser to
>>>lock up or shut down, and little reason for an attacker to want to do so.
>>>I do not at all blame Microsoft for putting this vulnerability on the
>>>back
>>>burner as it was known in May.
>>
>>I will. Certianlly, someone did not reasearch this vulnability well. They
>>slapped and incorrect statement about it being a "low" priority and well,
>>put their users and clients where they are now. F'd....but then again, the
>>XBox was coming out...
>>
>>
>>>Many vulnerabilities are not fixed right away because Microsoft cannot
>>>reproduce the vuln, which is the first step towards writing a patch. If
>>>the finder is not available to work with Microsoft on reproducing the
>>>vuln, that makes the task harder.
>>
>>Well, certainly, oter people can reproduce this one...now sure why MS
>>could
>>not... :-)
>
>
> Let's be clear here... the vuln reported in May was a denial of service, and
> Microsoft correctly prioritized it as such.
>
>
>>>I could be mistaken, but I understand there is code out there [at the
>>>frsirt.com site for example] and that Microsoft has confirmed the code.
>>>Some people have reported problems getting the exploit code to work,
>>>suggesting my "Microsoft cannot fix what they cannot repro" theory could
>>>be correct.
>>
>>...I tested it today and, bang, got a calculator...have you tried?
>
>
> The discussions I've heard in the public are it works for some and not
> others. I believe it's harder to figure out how to turn a denial of service
> vuln into a remote code execution one if it only occurs on certain system
> configurations. Otherwise, the vuln finder might try successful exploit
> code on a system that is not vulnerable and discard it as non-working.
>
> I'm not saying Microsoft had any trouble reproducing the code that came out
> a few days ago... I'm saying this makes it harder for MS or the original
> finder to turn the DoS into a remote code exploit. It seems likely the
> original finder would have tried to do this and probably only released this
> as a DoS when s/he was unable to do so. S/he also had six months afterwards
> in which to try to turn this into a remote code execution vuln, as did the
> rest of the world.
>
>
>>In a nutshell, you always try to pu a spin on MS.
>
>
> I don't always spin things in Microsoft's favor.
>
>
>>MS dropped the ball, yet again, but classifiying this as a "low risk" when
>>clearly, it is a critical risk...put the blame where it belongs. Microsoft
>>screwed everyone again....like clockwork.
>
>
> It's a critical risk now that remote code execution is found to be possible.
>
> If it was so easy for Microsoft to research the denial of service
> vulnerability in May and figure out how to make it exploit code, then why
> didn't anyone else do it? It's not like there's no one on the Internet
> trying to turn IE denial of service vulns into remote code execution vulns.
> I suspect it wasn't as easy as you think. Neither of us are really IE vuln
> finders, so in the end we're both guessing about how easy or hard it may
> have been to research this vuln.
>
> You may also be thinking that Microsoft could have fixed this six months ago
> had they just fixed the denial of service. That is not necessarily the
> case. It is entirely possible that if they had released a patch for the DoS
> attack, the patch may not have prevented this remote code execution vuln.
> Since MS did not know the details of this remote code execution vuln six
> months ago, they would not have been able to test it against their patch.
>
> It's also possible that properly fixing this vuln requires a major
> architectural change and that was why they delayed on releasing a patch, we
> don't know.
>
>
>
>
Well here's my 2 pennies worth ....
MS get told of the vulnerability maybe in a cryptic clue, such as there
is a flaw in there chaps, can you see what it really is, i will give you
6 months to suss it, after all you do have the source code, and after
all you have all these security evaluators checking your code, and
telling the developers how to avoid the pitfalls, but if you can't
manage to find it with all your extensive facilities and minds, then i
will make it real clear for you.
Now i have nothing but respect for the guys who take the time to reverse
engineer and find these exploits, not because of the damage they can do,
but for their skills, and i find it a crying shame that many use those
skills to cause problems, but when you think of the total disregard of
the EULA committed by these people, and with microsofts policy of being
heavy handed with legal pursuits, its little wonder that there are few
who want to work with them to reproduce the failures, its often easier
to release the flaw and then merge back into the crowd, but with a smug
grin of satisfaction, and a possible slap on the back from other exploiters.
All the best guys
Martin Spencer-Ford
(TpwUK)
- Next message: Imhotep: "Re: Zero-day IE exploit..."
- Previous message: Ralph Wade Phillips: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- In reply to: karl levinson, mvp: "Re: Zero-day IE exploit..."
- Next in thread: Imhotep: "Re: Zero-day IE exploit..."
- Reply: Imhotep: "Re: Zero-day IE exploit..."
- Reply: Alun Jones: "Re: Zero-day IE exploit..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
