This will handle the announced sploit...assuming you do snort, courtesy of Bleeding-Snort:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities?view=markup
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB CLIENT Internet Explorer createTextRange Code Execution"; flow:established,from_server; content:"document.getElementById"; content:"createTextRange"; nocase; distance:3; within:50; pcre:"/=\s*document\.getElementById.{0,30}?createTextRange/smi"; classtype:attempted-user; reference:bugtraq,17196; reference:cve,2006-1359; sid:2002860; rev:2; )
[EMAIL PROTECTED] wrote on 03/24/2006 04:36:49 PM:
> Internet Storm Center's always informative Diary has the following new
> information:
>
> "a particular site uses the "createTextRange" vulnerability to install a
> spybot variant."
>
> More details at
> http://isc.sans.org/diary.php?storyid=1212
>
> The timestamp of updated Diary entry is 2006-03-24 21:49:09 UTC.
> No need to say that their role is not to share exact URLs.
>
> - Juha-Matti
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hey All,
> >
> > I know this isn't really the place, but hey.
> > Has anyone got any sites that are currently using this, ideally links?
> >
> > TIA
> >
> > xyberpix
> >
> > Blog: http://blogs.securiteam.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
