[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000001c3797f$b3cdc3c0$2b02a8c0@dcopley>
From: dcopley at eeye.com (Drew Copley)
Subject: Internet explorer 6 on windows XP allows exection of arbitrary code
> -----Original Message-----
> From: Thor Larholm thor@...x.com
> Sent: Thu, 11 Sep 2003 16:02:11 -0700
> Subject: [Full-Disclosure] Internet explorer 6 on windows XP
> allows exection of arbitrary code
>
>
> The new addition here is abusing how you are able to load a
> ressource file, residing in a local security zone, into a
> window object. Service Pack 1 for IE6 did a lot to deter this
> on most regular window objects, but should have extended that
> effort to searchpanes as well. Seeing as the content of a
> search pane can be any registered COM extension to IE,
> perhaps more should be done to completely separate these from
> the reach of ordinary scripting.
>
> Combining the mediabar ressource loading with the
> file-protocol proxy demonstrates just how effectively one can
> combine several vulnerabilities to achieve a higher level of
> automation in planting and executing files. The media bar
> ressource loading, and any other ressource loading technique,
> can be combined with any other cross-domain scripting
> vulnerability to achieve the same result.
>
> We will definitely see more combinatorial vulnerabilities in
> the time to come.
As Jelmer noted, these have been around. Http-Equiv's latest zero day this
past week was as pure of a combination as you can get... As he noted.
[Interesting Note: Not long after this he added the greymagic version of the
variant of my object tag bug... People have apparently forgotten that even
Dave Ahmad - Bugtraq moderator Unix security guy - had the first variant on
that bug. So, there is another variant apparently no one else knows about
until now. Whoop dee doo. ]
[I am just glad people didn't call my 'object data bug', " the wrongly
called object data bug" because a variant was found. Uggh. I look up that
old object tag bug used in this latest zero day... everywhere they have it
called "the wrongly called popup bug".]
[I should have called the bug the "fried green tomato bug". I can call an
advisory whatever I want... and I always expect there to be more variants or
issues involved in it.]
[Lastly, with this latest "object type bug", it is often confused with the
"object data bug". This is due recompense. Entirely different bugs. Very few
people apparently realize this. One is a buffer overflow, one is input
validation bug. Very big difference.]
...
One thing can be difficult in these regards, though, is needing to use two
different bugs to have one final output. This can be difficult to release if
the vendor wishes to release the two bugs in different fixes. But, I only
recall these types of issues being released without concern for the vendor's
time to fix.
With all of the open bugs that have just been made... There are probably
many, many variants. Some of these may be combinations. There are probably
expansions to some of these bugs. Maybe some are more serious then
originally thought.
There is definitely some very interesting stuff in these. Very clever
attacks. The days of buffer overflows are getting shorter and shorter... But
bugs that mean remote compromise are here to stay for a very long time.
>
>
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities
----- Original Message -----
From: "jelmer" <jkuperus@...net.nl>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Thursday, September 11, 2003 3:31 PM
Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows exection
of arbitrary code
> Internet explorer 6 on windows XP allows exection of arbitrary code
>
> DESCRIPTION :
>
> Yesterday Liu Die Yu released a number series of advisories concerning
> internet explorer by combining on of these issues with an earlier
> issue I myself reported a while back
> You can construct a specially crafted webpage that can take any action on
a
> users system
> including but not limited to, installing trojans, keyloggers, wiping
> the users harddrive etc.
<snip
http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html
>
Powered by blists - more mailing lists