lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <810E6C87B49748459D05A34C4E5FE7774DE4AF@EXCHANGECLSTR.lagraphico.in>
Date: Thu Dec 29 17:17:03 2005
From: discussions at lagraphico.com (Discussion Lists)
Subject: Static Blocking for the WMF Exploit -
	over50known variants

Got it . . . the mscracks site is still available, so I have been
running my tests from that, and I think I may have a workaround for
anyone who is interested, but I need people to help me test it.  Here's
what I did:
 
First:
I created a virtual machine with SP2 installed, AVG Free AV and updated
it.  Then I went to the mscracks site.  I did this running as admin on
my computer BTW.  I noticed as the page came up, AVG Free alerted me to
a bunch of infections.  Bad news.
 
Last:
I reverted the virtual machine to the pre-mscracks state (with SP2, and
AVG Free), and updated AVG Free.  I then ran some code that activates
Window's SAFER mechanism for Internet Explorer.  I will attach a link at
the end of the email for more info.  I confirmed the IE was running with
reduced privs, and then opened MSCracks.  AVG Free didn't complain once
about infections and such.
 
To me that means that reducing browser privileges thwarts this exploit.
Can someone else test this for me as well?  Anyone interested in the
VBScript code I used for SAFER email me as well.  I will be happy to
send it along.
 
 

	-----Original Message-----
	From: Larry Seltzer [mailto:larry@...ryseltzer.com] 
	Sent: Thursday, December 29, 2005 9:07 AM
	To: Discussion Lists; full-disclosure@...ts.grok.org.uk
	Subject: RE: [Full-disclosure] Static Blocking for the WMF
Exploit - over50known variants
	
	
	>>Sorry if this was asked before, but how do I know if my
machine has been compromised?  I am working on a way to contain any
damage caused by this exploit, and it would be helpful to know for sure
that what I am doing is working or not working.
	 
	Unfortunately, I think the test for this is specific to each
variant and not to the WMF vector. IOW, there is no one test. 
	 
	Larry Seltzer
	eWEEK.com Security Center Editor
	http://security.eweek.com/ <blocked::http://security.eweek.com/>

	http://blog.ziffdavis.com/seltzer
<http://blog.ziffdavis.com/seltzer> 
	Contributing Editor, PC Magazine
	larryseltzer@...fdavis.com 
	 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051229/7787af98/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ