lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: ADODB.Stream object

jelmer <jkuperus@...net.nl> to me:

<<snip explanation of 3rd-party app dragging HTML content across the
  "security zone barrier" unhindered>>
> I know this thought also crossed my mind,  I also recieved some mail born
> virusses wich used a similar scheme but one may argue that had the zip
> file contained a .vbs or .exe file, people would have openened it aswell.

Sure, but there have been a few other self-mailing viruses that have 
distributed themselves via .ZIP file attachments and the relative 
success of Mimail in particular seems in no small part attributable to 
the fact that "your average punter" is exceedingly unlikely to consider 
an HTML file to be "suspicious" _in any context_.

This observation of the expected -- "predictable" even -- failing of 
the human component in the "security chain" is what makes security 
vulnerabilities, such this latest one Jelmer has pointed out, much more 
dangerous than the typical "Mitigating factors" BS in MS Security 
Bulletins would have you believe.  For those who haven't already 
realized, nearly everything listed as "Mitigating factors" in MS 
Security Bulletins related to HTML parsing/security zone/etc flaws in 
IE/OE/OL are, in fact, simple pointers to easy things any half-clever 
black-hat can obviously use to exploit the stupidity of several hundred 
million "typical Windows users", and usually most or all of these 
approaches will already have been outrageously successful (with other 
similar vulnerabilities) in two, three or more existing self-mailing 
viruses.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ