| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Sep 2003 10:43:45 -0400 From: "Dimitri Limanovski" <dlimanov@....com> To: Nathan Wallwork <owen@...gent.org> Cc: ADBecker@...ortgage.com, "'Bugtraq'" <bugtraq@...urityfocus.com>, Drew Copley <dcopley@...e.com>, full-disclosure@...ts.netsys.com, full-disclosure-admin@...ts.netsys.com, http-equiv@...ite.com, "'NTBugtraq'" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, "'Microsoft Security Response Center'" <secure@...rosoft.com>, "'GreyMagic Software'" <security@...ymagic.com>, vulnwatch@...nwatch.org Subject: Re: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 I agree that firewall is not the place to catch this. Any properly configured HIPS should be able to catch this or nay other similar-configured exploit without any issues though. We have OKENA and simple rule to prohibit (or prompt) program executions from within IE has stopped this (and dozen of others) exploit from working. FWIW, McAfee caught it as well, identifying it as Exploit-CodeBase but I'm sure this can be easily bypassed with little coding. Thanks, Dimitri |---------+--------------------------------------> | | Nathan Wallwork | | | <owen@...gent.org> | | | Sent by: | | | full-disclosure-admin@...ts| | | .netsys.com | | | | | | | | | 09/09/2003 04:17 PM | | | | |---------+--------------------------------------> >--------------------------------------------------------------------------------------------------------------| | | | To: Drew Copley <dcopley@...e.com> | | cc: ADBecker@...ortgage.com, "'GreyMagic Software'" <security@...ymagic.com>, "'Bugtraq'" | | <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>, <http-equiv@...ite.com>, | | "'NTBugtraq'" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, "'Microsoft Security Response Center'" | | <secure@...rosoft.com>, <vulnwatch@...nwatch.org> | | Subject: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 | >--------------------------------------------------------------------------------------------------------------| On Mon, 8 Sep 2003, Drew Copley wrote: > The only sure way to detect this, I already wrote about [to Bugtraq]. That > is by setting a firewall rule which blocks the dangerous mimetype string > [Content-Type: application/hta]. Everything else in the exploit can change. Just so we are clear, the firewall wouldn't tbe he right place to catch this because that string could be split by packet fragmentation, so you'd need to look for it at an application level, after the data stream has been reassembled. Of course, if anyone thinks it is easier to protect their browser with a proxy than fix the browser they've got other issues. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists