lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Nov 2003 14:23:29 -0800
From: "Thor Larholm" <thor@...x.com>
To: "Liu Die Yu" <liudieyuinchina@...oo.com.cn>,
	<bugtraq@...urityfocus.com>
Subject: RE: Six Step IE Remote Compromise Cache Attack


This post raises an interesting question. Is our goal to find new
vulnerabilities and attack vectors to help secure users and critical
infrastructures, or is our goal to ease exploitation of existing
vulnerabilities?

There are no new vulnerabilities or techniques highlighted in this
attack (which is what it is), just a combination of several already
known vulnerabilities. This is not a proof-of-concept designed to
highlight how a particular vulnerability works, but an exploit designed
specifically to compromise your machine. All a malicious viruswriter has
to do is exchange the EXE file.

Believe me, I am all in for full disclosure and detailing every aspect
of a vulnerability to prevent future occurances of similar threats, but
I don't particularly think that we should actively be trying to help
malicious persons.



Regards
Thor Larholm
Senior Security Researcher
PivX Solutions, LLC
Get our research, join our mailinglist - http://pivx.com/larholm/


-----Original Message-----
From: Liu Die Yu [mailto:liudieyuinchina@...oo.com.cn] 
Sent: Wednesday, November 05, 2003 2:35 AM
To: bugtraq@...urityfocus.com
Subject: Six Step IE Remote Compromise Cache Attack

Snip
http://www.securityfocus.com/archive/1/343464/2003-11-02/2003-11-08/0


Powered by blists - more mailing lists