lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: randnut at hotmail.com (first last)
Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL From Internet Explorer

>Summary:
>A LoadLibrary / LoadLibraryEx weakness makes SSL on Internet Explorer very
>vulnerable to a “DLL proxy” attack. If exploited, unencrypted data can be
>intercepted before Internet Explorer (IE) uses the SSL module to encrypt 
>the
>data. Therefore, confidential information such as bank accounts and
>passwords could be stolen. Many applications are vulnerable to “DLL proxy”
>attack with different ramifications.

This is OLD news. Where have you been? It's been used for as long as 
LoadLibrary has existed by programs monitoring other programs. There are 
dozens of other ways of reading data from another program before and after 
data is encrypted/decrypted. I could write a dozen similar advisories and 
post them here and to BugTraq but I won't because they're OLD news.

>Vendor Status:
>Microsoft was informed of this weakness in December 2003. As of February 5,
>2004, Microsoft has not provided any indication that they intend to provide
>any remedies for the affected Windows configurations.

Of course they won't because this is OLD news.

The subject of your email is "Round One," so I hope your next rounds will 
have some new information.

_________________________________________________________________
Get some great ideas here for your sweetheart on Valentine's Day - and 
beyond. http://special.msn.com/network/celebrateromance.armx


Powered by blists - more mailing lists