[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] New IE sploit?

Subject: Re: [Full-disclosure] New IE sploit?
From: Stelian Ene <stelian.ene@xxxxxxxxxxxxx>
Date: Mon, 27 Mar 2006 10:25:45 +0300

Bart.Lansing@xxxxxxxxx wrote:
> 
> 
> This will handle the announced sploit...assuming you do snort, courtesy
> of Bleeding-Snort:
> 
> http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities?view=markup
> 

This will handle the specific variation used in that exploit, but blocking this
completely is outside the scope of snort and most content scanners.
I see that even text/plain mails talking about the bug are "cleaned" by major
AVs. This is especially brain-dead behavior since all advisories clearly say
email is not a vector.
Due to the nature of JS, there are almost endless variations. Off the top of my
head:
- getElementById is not necessary; for example, use getElementsByName
- checkbox/radio + createTextRange is not the only way of triggering the bug
- infinite obfuscation using eval()
- infinite obfuscation using document.write()

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] New IE sploit?
  - From: Bart . Lansing

Prev by Date: [Full-disclosure] WinPCap
Next by Date: Re: [Full-disclosure] WinPCap
Previous by thread: Re: [Full-disclosure] New IE sploit?
Next by thread: Re: [Full-disclosure] New IE sploit?
Index(es):
- Date
- Thread