[<prev] [next>] [day] [month] [year] [list]
Message-id: <451803C5.24941.1ED7F082@nick.virus-l.demon.co.uk>
Date: Mon, 25 Sep 2006 16:28:53 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Cc: botnets@...testar.linuxbox.org, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Yet another 0day for IE (Disabling Javascript no
longer a fix)
Bill Stout wrote:
> http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
> ing.html
> "This exploit can be mitigated by turning off Javascripting.
>
> Update: Turning off Javascripting is no longer a valid mitigation. ...
Well, to pick a nit, the Sunbelt blog entry is correct -- the specific
exploit they were talking about does requires scripting.
What you are referring to is that the suggested workaround to block
that _exploit_ does not mitigate the _vulnerability_ that that same
exploit takes advantage of, and you are correct. The vulnerability can
be (and has been since, both in PoC and in the wild IIRC) exploited
with plain (??) "VML HTML" -- that is, without using scripting.
> ... A
> valid mitigation is unregistering the VML dll. "
Much as a valid mitigation for a snake bite mid-calf is (swift)
amputation below the knee... 8-)
If you'd like to keep using your lower leg -- I mean, VML in IE and
other apps -- you might consider the third-party, unsupported, use-at-
your-own-risk ZERT patch, which mitigates the vulnerability while
leaving VML functionality available:
http://isotf.org/zert/
Seriously though, if we were all a little more careful about our use of
terminology, this should all have been rather clear from the start.
Regards,
Nick FitzGerald
Powered by blists - more mailing lists