| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 29 17:51:52 2005 From: ad at heapoverflow.com (ad@...poverflow.com) Subject: Static Blocking for the WMF Exploit - over50known variants -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think jerome athias pubbed a working workaround about unloading a dll but anyway the most evident countermeasure while browsing website and wich I guess everyone does, it's to use firefox instead of IE :) Discussion Lists wrote: > Message Got it . . . the mscracks site is still available, so I > have been running my tests from that, and I think I may have a > workaround for anyone who is interested, but I need people to help > me test it. Here's what I did: > > First: I created a virtual machine with SP2 installed, AVG Free AV > and updated it. Then I went to the mscracks site. I did this > running as admin on my computer BTW. I noticed as the page came > up, AVG Free alerted me to a bunch of infections. Bad news. > > Last: I reverted the virtual machine to the pre-mscracks state > (with SP2, and AVG Free), and updated AVG Free. I then ran some > code that activates Window's SAFER mechanism for Internet Explorer. > I will attach a link at the end of the email for more info. I > confirmed the IE was running with reduced privs, and then opened > MSCracks. AVG Free didn't complain once about infections and such. > > To me that means that reducing browser privileges thwarts this > exploit. Can someone else test this for me as well? Anyone > interested in the VBScript code I used for SAFER email me as well. > I will be happy to send it along. > > > > -----Original Message----- *From:* Larry Seltzer > [mailto:larry@...ryseltzer.com] *Sent:* Thursday, December 29, 2005 > 9:07 AM *To:* Discussion Lists; full-disclosure@...ts.grok.org.uk > *Subject:* RE: [Full-disclosure] Static Blocking for the WMF > Exploit - over50known variants > >>> Sorry if this was asked before, but how do I know if my machine >>> > has been compromised? I am working on a way to contain any damage > caused by this exploit, and it would be helpful to know for sure > that what I am doing is working or not working. > > Unfortunately, I think the test for this is specific to each > variant and not to the WMF vector. IOW, there is no one test. > > Larry Seltzer eWEEK.com Security Center Editor > http://security.eweek.com/ <blocked::http://security.eweek.com/> > http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine > larryseltzer@...fdavis.com > > > > ---------------------------------------------------------------------- > > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ7QiE6+LRXunxpxfAQJVhw//T4dpRgMkFgMFX0o/4SeoICMG+MUcDaq1 +/hIKESLTo2EZ5Lhnkog9hWOwqCQYlNy1EZOBbInUauW44nrXdvGOcBl/5ntRpGe KqBtHT2amBzoQ8LUJzIgofiQ6atUEw1n40APQhCqrAXI6rR/Vx3r69kBQwG04zez DvPmy7OfOVt1acqUOg9Ytl3rSGUeoJQStIGRy3obdwqoCTk8YX9ep2zwDQgxQ38+ 75DExrHKOPof050XVzHEELToYXM13PgEo4v82+r6qZrW8vl4cq2OBqy9FVTPsvZS wEr+VF+asAAAilTMNAffA2XrMTzfOm/Zd+b7jzsZS2FiAhH8aeSgDQum5mU18P6v Wf9wikl/lfyPN/BTb+m8JHBX4lYZv8k4nA9j/0uXgesYTDcotXxLLJtYDZpRONaZ DF3SVBGLAa1SymtOejOm1WatcIkQ1O349E2DIU4UzIq1mDGom7vvR4MLFJYkULWQ YkiJ09nRFxUkc/Q1CbEt5+QG8ZvK3XKOjz6/yzFSsv/NIu7Y7xaamglJK52b0zAK 82ILJdSHjRT6iaMQvkskZ/ENDXsfBIvfHTQkyIY4dD1AdJJsz5+YFwox1bmCfrXq Hk26NaBASC+z30GrwyJJyuynmwP2fRC0Qj/qiKLZgPwTQRuaKBZR3dOSC9Xj7bSB rRLs89RvQEA= =Bjr8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists