lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <451803C5.24941.1ED7F082@nick.virus-l.demon.co.uk>
Date: Mon, 25 Sep 2006 16:28:53 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Cc: botnets@...testar.linuxbox.org, full-disclosure@...ts.grok.org.uk
Subject: Re: Yet another 0day for IE (Disabling Javascript
 no longer a fix)

Bill Stout wrote:

> http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
> ing.html 
> "This exploit can be mitigated by turning off Javascripting. 
> 
> Update: Turning off Javascripting is no longer a valid mitigation.  ...

Well, to pick a nit, the Sunbelt blog entry is correct -- the specific 
exploit they were talking about does requires scripting.

What you are referring to is that the suggested workaround to block 
that _exploit_ does not mitigate the _vulnerability_ that that same 
exploit takes advantage of, and you are correct.  The vulnerability can 
be (and has been since, both in PoC and in the wild IIRC) exploited 
with plain (??) "VML HTML" -- that is, without using scripting.

> ...   A
> valid mitigation is unregistering the VML dll. "

Much as a valid mitigation for a snake bite mid-calf is (swift) 
amputation below the knee...   8-)

If you'd like to keep using your lower leg -- I mean, VML in IE and 
other apps -- you might consider the third-party, unsupported, use-at-
your-own-risk ZERT patch, which mitigates the vulnerability while 
leaving VML functionality available:

   http://isotf.org/zert/

Seriously though, if we were all a little more careful about our use of 
terminology, this should all have been rather clear from the start.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ