lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FDC66677@hermes.eCompany.gov>
From: dcopley at eeye.com (Drew Copley)
Subject: RE: new internet explorer exploit  (was new worm)

 

> -----Original Message-----
> From: Berend-Jan Wever [mailto:SkyLined@...p.tudelft.nl] 
> Sent: Monday, March 29, 2004 3:35 PM
> To: full-disclosure@...ts.netsys.com; bugtraq@...urityfocus.com
> Subject: Re: new internet explorer exploit (was new worm)
> 
> ----- Original Message ----- 
> From: "Drew Copley" <dcopley@...e.com>
> > Yeah. It is a zero day worm, and it is very notable as such.
> >
> > I can not recall a previous zero day worm. (AV is not my 
> job, but I do
> > try and follow zero day.)
> >
> > Hence, IE has birthed us the first zero day worm.
> >
> > We should be thankful it was not coded better, because it could have
> > caused some really serious problems. A hundred thousand systems is
> > really a low target when you consider 94% of all browsers 
> being used are
> > IE and the internet population is around the 400 million figure.
> 
> Just be thankfull the guy didn't take the time to find a 0day 
> xss issues in
> webbased e-mail services like hotmail/yahoo/etc... I still 
> wonder why these
> have not been exploited by email virii: They're not that hard 
> to find (check
> your archives) and it's just too easy to code a small worm in 
> javascript for
> these sites (I know from experience). 

Yeah, we have one with Yahoo in pending. Though, it was a bit difficult
to find. (It has not be added to our upcoming advisory list, yet.) 

In fact, I am good friends with several of the guys who found the last
ones... Dror Shalev and http-equiv. (Never really talked to Greymagic,
just by chance, I suppose.)

These are top bugfinders, though, and they are very skilled people. I do
not dismiss the skills of any of the people who have found these bugs...
but I do believe there are more in there.


> The only propagation 
> limiting problem
> is that all trafic goes through centralized servers which can 
> be easily
> updated (check your archives for site-specific responds 
> times). But if you
> combine it with your regular e-mail worm techniques, you can be sure
> propagation continues after that fix.

Right, I find these security holes extremely alarming. In fact, I
accidentally flamed a bug finder once because I thought he posted Yahoo
zero day... and I am known as a guy that is patient and apologetic for
those who post zero day without going to the vendor first. (Because I
know all too well, for one thing, that they don't have to post it at
all.)

And, I know what it feels like to have this Yahoo zero day in my pocket
here. It is a dangerous thing.

That's why this business is so much funner then writing database
programs.

> 
> Cheers,
> SkyLined
> 
> 
> 
> 


Powered by blists - more mailing lists