Zero-day IE exploit...

"Microsoft has expressed concern that this new vulnerability was not
disclosed to them first, potentially putting users at risk. Although there
is currently no patch for this vulnerability, disabling Active Scripting or
switching to an alternate browser such as Mozilla Firefox would effectively
mitigate the risk."

I do not believe that there is real malicous code flouting arround for this,
this has been a known issue since May.....I believe MS has marked it as low
and as such did nothing about it....typical.

http://www.securityfocus.com/brief/58

Imhotep

Imhotep

Imhotep <> writes:
> I do not believe that there is real malicous code flouting arround for this,
> this has been a known issue since May.....I believe MS has marked it as low
> and as such did nothing about it....typical.
>
> http://www.securityfocus.com/brief/58

To be fair, in May, everyone was convinced the problem was just a DOS
condition, and not exploitable for remote access. Only recently
has proof of concept code emerged to exploit it.

--
Todd H.
http://www.toddh.net/

Todd H.

"Imhotep" <> wrote in message
news: ...
> "Microsoft has expressed concern that this new vulnerability was not
> disclosed to them first, potentially putting users at risk. Although there
> is currently no patch for this vulnerability, disabling Active Scripting
or
> switching to an alternate browser such as Mozilla Firefox would
effectively
> mitigate the risk."
>
> I do not believe that there is real malicous code flouting arround for
this,
> this has been a known issue since May.....I believe MS has marked it as
low
> and as such did nothing about it....typical.
>
> http://www.securityfocus.com/brief/58
>
> Imhotep
###############################
I have been disabling active scripting along w/ other things in IE for
years. It has served me well.
donnie

Donnie

Imhotep wrote:
> "Microsoft has expressed concern that this new vulnerability was not
> disclosed to them first, potentially putting users at risk. Although there
> is currently no patch for this vulnerability, disabling Active Scripting or
> switching to an alternate browser such as Mozilla Firefox would effectively
> mitigate the risk."
>
> I do not believe that there is real malicous code flouting arround for this,
> this has been a known issue since May.....I believe MS has marked it as low
> and as such did nothing about it....typical.
>
> http://www.securityfocus.com/brief/58
>
> Imhotep
Great Link thanks!

Winged

Winged

"Imhotep" <> wrote in message
news: ...

> I do not believe that there is real malicous code flouting arround for
this,
> this has been a known issue since May.....I believe MS has marked it as
low
> and as such did nothing about it....typical.

You left out the reason why: "The vulnerability targeted by the exploit was
originally announced in May as a stability issue resulting in the browser
closing."

There are tons of ways an attacker could cause IE or any other browser to
lock up or shut down, and little reason for an attacker to want to do so. I
do not at all blame Microsoft for putting this vulnerability on the back
burner as it was known in May.

Many vulnerabilities are not fixed right away because Microsoft cannot
reproduce the vuln, which is the first step towards writing a patch. If the
finder is not available to work with Microsoft on reproducing the vuln, that
makes the task harder.

I could be mistaken, but I understand there is code out there [at the
frsirt.com site for example] and that Microsoft has confirmed the code.
Some people have reported problems getting the exploit code to work,
suggesting my "Microsoft cannot fix what they cannot repro" theory could be
correct.

Karl Levinson, mvp

As far as is public, you are correct--there is a proof of concept page which
can run Calc.exe on your system.

It has been known since May that there was a denial of service
vulnerability.

So, yesterday this was shown to allow code execution in some cases--and
released to the public and to Microsoft at the same moment. Do you feel
protected by this action?
--

"Imhotep" <> wrote in message
news: ...
> "Microsoft has expressed concern that this new vulnerability was not
> disclosed to them first, potentially putting users at risk. Although there
> is currently no patch for this vulnerability, disabling Active Scripting
> or
> switching to an alternate browser such as Mozilla Firefox would
> effectively
> mitigate the risk."
>
> I do not believe that there is real malicous code flouting arround for
> this,
> this has been a known issue since May.....I believe MS has marked it as
> low
> and as such did nothing about it....typical.
>
> http://www.securityfocus.com/brief/58
>
> Imhotep

Bill Sanderson

Bill Sanderson wrote:

> As far as is public, you are correct--there is a proof of concept page
> which can run Calc.exe on your system.
>
> It has been known since May that there was a denial of service
> vulnerability.

Well, someone did not review this exploit well. In fact, I would say that MS
dropped the ball in evaluating what the security hole can do....

> So, yesterday this was shown to allow code execution in some cases--and
> released to the public and to Microsoft at the same moment. Do you feel
> protected by this action?

Well, I do sure. However, the point you are trying to make is if the "news"
should have been posted. My answer is this. MS has know about this since
May....MAY...it is now the end of November.

Clearly they have had plenty of time to fix it...put the blame where it
belongs.

Imhotep

Imhotep

Karl Levinson, mvp wrote:

>
> "Imhotep" <> wrote in message
> news: ...
>
>> I do not believe that there is real malicous code flouting arround for
> this,
>> this has been a known issue since May.....I believe MS has marked it as
> low
>> and as such did nothing about it....typical.
>
> You left out the reason why: "The vulnerability targeted by the exploit
> was originally announced in May as a stability issue resulting in the
> browser closing."
>
> There are tons of ways an attacker could cause IE or any other browser to
> lock up or shut down, and little reason for an attacker to want to do so.
> I do not at all blame Microsoft for putting this vulnerability on the back
> burner as it was known in May.

I will. Certianlly, someone did not reasearch this vulnability well. They
slapped and incorrect statement about it being a "low" priority and well,
put their users and clients where they are now. F'd....but then again, the
XBox was coming out...

> Many vulnerabilities are not fixed right away because Microsoft cannot
> reproduce the vuln, which is the first step towards writing a patch. If
> the finder is not available to work with Microsoft on reproducing the
> vuln, that makes the task harder.

Well, certainly, oter people can reproduce this one...now sure why MS could
not...

> I could be mistaken, but I understand there is code out there [at the
> frsirt.com site for example] and that Microsoft has confirmed the code.
> Some people have reported problems getting the exploit code to work,
> suggesting my "Microsoft cannot fix what they cannot repro" theory could
> be correct.

....I tested it today and, bang, got a calculator...have you tried?

In a nutshell, you always try to pu a spin on MS. However, a fact is a fact.
MS dropped the ball, yet again, but classifiying this as a "low risk" when
clearly, it is a critical risk...put the blame where it belongs. Microsoft
screwed everyone again....like clockwork.


Imhotep

Imhotep

Winged wrote:

> Imhotep wrote:
>> "Microsoft has expressed concern that this new vulnerability was not
>> disclosed to them first, potentially putting users at risk. Although
>> there is currently no patch for this vulnerability, disabling Active
>> Scripting or switching to an alternate browser such as Mozilla Firefox
>> would effectively mitigate the risk."
>>
>> I do not believe that there is real malicous code flouting arround for
>> this, this has been a known issue since May.....I believe MS has marked
>> it as low and as such did nothing about it....typical.
>>
>> http://www.securityfocus.com/brief/58
>>
>> Imhotep
> Great Link thanks!
>
> Winged


...sure...

Imhotep

Imhotep

Donnie wrote:

>
> "Imhotep" <> wrote in message
> news: ...
>> "Microsoft has expressed concern that this new vulnerability was not
>> disclosed to them first, potentially putting users at risk. Although
>> there is currently no patch for this vulnerability, disabling Active
>> Scripting
> or
>> switching to an alternate browser such as Mozilla Firefox would
> effectively
>> mitigate the risk."
>>
>> I do not believe that there is real malicous code flouting arround for
> this,
>> this has been a known issue since May.....I believe MS has marked it as
> low
>> and as such did nothing about it....typical.
>>
>> http://www.securityfocus.com/brief/58
>>
>> Imhotep
> ###############################
> I have been disabling active scripting along w/ other things in IE for
> years. It has served me well.
> donnie


....I bet it has!


Imhotep

Imhotep