[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0609191646240.17521-100000@linuxbox.org>
Date: Tue, 19 Sep 2006 16:47:16 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com
Cc: botnets@...testar.linuxbox.org, full-disclosure@...ts.grok.org.uk
Subject: Re: Yet another 0day for IE
Webattacker is a hacker kit for preparing a website to exploit users,
infecting them. It has statistics on OS, browser type, etc. As well as on
how many got infected by what exploit, etc.
Nick FitzGerald, Roger Thompson and now Dan Hubbard
(http://www.websense.com/securitylabs/blog/blog.php?BlogID=80) report
that sites seen exploiting this 0day in-the-wild have previously been
seen utilizing Webattacker. If Webattacker indeed uses this 0day... it
will be spread far and wide.
No patch in sight. Easy to exploit.
Gadi.
On Tue, 19 Sep 2006, Gadi Evron wrote:
> Sunbelt Software released a warning on a new IE 0day they detected
> in-the-wild, to quote them:
> "The exploit uses a bug in VML in Internet Explorer to overflow a buffer
> and inject shellcode. It is currently on and off again at a number of
> sites.
> Security researchers at Microsoft have been informed. This story is
> developing and research is ongoing. Security professionals can contact
> me for collaboration or further information. This exploit can be mitigated
> by turning off Javascripting."
>
> They also notified some closed and vetted security information sharing
> groups on the matter, with further details. You can find their blog entry
> here:
> http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
>
> That's that.
>
> Why do I call it a 0day? Because it has indeed been used in-the-wild
> before it was publicly discovered. People are CURRENTLY and for a while
> now, being exploited.
>
> Lately we call every exploit being released in full disclosure mode a
> 0day. That's a 1-day or at least it has to be from now on, as there are
> just too many of those and there are more to come.
>
> This trend started with Websense detecting an IE 0day (not really IE
> - WMF) used in-the-wild by spyware, to infect users.
> "Responsible disclosure" is important, but when it takes so long to get a
> response or a fix with "Irresponsible vendors", and with so much money to
> be made by not disclosing vulnerabilities at all - it is becoming
> passe. New exploits don't need to be gleamed from patches or feared in
> full disclosure. Someone just pays for a 0day.. it's their business and
> they invest in it.
>
> So:
> 1. Lots more coming.
> 2. Please call it a 1-day if it's full disclosure mode, and 0day if it
> has been seen in-the-wild.
>
> The motivation has now moved from "let's be responsible" or "let's have
> fun" to "let's make money" or "let's stop waiting and be mocked by
> irresponsible vendors". This is not about everybody, it's about how things are.
>
> Even idefense and zdi can't pay enough when compared with people who make
> money from what the 0day gives them - exploited users and a money making
> botnet.
>
> Thanks,
>
> Gadi.
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists