[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] New IE sploit?

To: Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>
Subject: Re: [Full-disclosure] New IE sploit?
From: Bart.Lansing@xxxxxxxxx
Date: Fri, 24 Mar 2006 16:52:59 -0600

This will handle the announced sploit...assuming you do snort, courtesy of 
Bleeding-Snort: 

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities?view=markup
 



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
WEB CLIENT Internet Explorer createTextRange Code Execution"; 
flow:established,from_server; content:"document.getElementById"; 
content:"createTextRange"; nocase; distance:3; within:50; 
pcre:"/=\s*document\.getElementById.{0,30}?createTextRange/smi"; 
classtype:attempted-user; reference:bugtraq,17196; 
reference:cve,2006-1359; sid:2002860; rev:2; )


full-disclosure-bounces@xxxxxxxxxxxxxxxxx wrote on 03/24/2006 04:36:49 PM:

> Internet Storm Center's always informative Diary has the following new 
> information:
> 
> "a particular site uses the "createTextRange" vulnerability to install a 

> spybot variant."
> 
> More details at 
> http://isc.sans.org/diary.php?storyid=1212
> 
> The timestamp of updated Diary entry is 2006-03-24 21:49:09 UTC.
> No need to say that their role is not to share exact URLs.
> 
> - Juha-Matti
> 
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Hey All,
> > 
> > I know this isn't really the place, but hey.
> > Has anyone got any sites that are currently using this, ideally links?
> > 
> > TIA
> > 
> > xyberpix
> > 
> > Blog: http://blogs.securiteam.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

CONFIDENTIALITY NOTICE: 
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use of 
the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and notify 
us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the 
right to retrieve and read any message created, sent and received.  Kohl's 
reserves the right to monitor messages by authorized Kohl's Associates at any 
time
without any further consent.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] New IE sploit?
  - From: Stelian Ene

References:
- Re: [Full-disclosure] New IE sploit?
  - From: Juha-Matti Laurio

Prev by Date: Re: [Full-disclosure] New IE sploit?
Next by Date: Re: [Full-disclosure] New IE sploit?
Previous by thread: Re: [Full-disclosure] New IE sploit?
Next by thread: Re: [Full-disclosure] New IE sploit?
Index(es):
- Date
- Thread