lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0H71003QRTKXGP@smtp2.clear.net.nz>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: How often are IE security holes exploited?

"Richard M. Smith" <rms@...puterbytesman.com> replied to Paul:

> Thanks for the reply.  Let me try to clarify things a bit.
> 
> I'm most interested in security holes related to IE, ActiveX controls,
> and the Microsoft JVM.  Basically things that can be exploited from an
> HTML Web page or email message.   As you noted, these kinds of security
> holes can be exploited from Outlook, Outlook Express, and Windows Media
> Player.

OK -- that's pretty much what I assumed in my other answer.

> Something like Loveletter didn't use any security holes to run.  It's
> probably the best example of social engineering being used to get people
> to run a virus/worm by clicking on an attached file.

Well, it is that, but it was so successful because far too many
_corporate_ sites were so mal-administered or mal-managed. 
LoveLetter did not get sent to 350 squillion Email addresses because 
it found that many addresses in home and small business user address 
books.  It got there because it hit a few really large sites (think 
DoD, and the _really big_ corporations -- places with huge GALs and 
that use Outlook).  It took that level of embarrassment (sometimes 
repeated two or three times in teh ensuing month or two) for the 
admins and/or management at many large corporate sites to acknowledge 
that only blocking known viruses coming in, or possibly "known 
viruses plus attachments of one or two extensions that we suspect 
might be the big problem ones" was yet another case of a 
simplistically stupid approach to a complex problem that had only 
started to actually be exploited at that point...

> Also does anyone know of an example of a virus or worm that used an IE
> security hole that hadn't been seen before?

I forget exactly which offhand (perhaps the first Yaha or something
just before it?) took advantage of the CR-only (or LF-only??) line
break issue, in which many Unix mail servers will incorrectly pass
what should be CRLF line-terminations and are otherwise invalid
characters in standard SMTP traffic.  Several content filter and AV
Email scanner parsers "mis-handled" these messages, missing the
attachments entirely (why these products were not written from the
beginning to "fail closed" has still not been satisfactorily
answered) and passing the bad messages on.  Of course, Outlook
and/or OE "happily" saw the messages as intended and they would
detach and run the atatchments (and of course the users, feeling
"safe" because they knew their Email was scanned for bad things,
happily double-clicked away...).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ