[EMAIL PROTECTED] wrote: > > > This will handle the announced sploit...assuming you do snort, courtesy > of Bleeding-Snort: > > http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities?view=markup >
This will handle the specific variation used in that exploit, but blocking this completely is outside the scope of snort and most content scanners. I see that even text/plain mails talking about the bug are "cleaned" by major AVs. This is especially brain-dead behavior since all advisories clearly say email is not a vector. Due to the nature of JS, there are almost endless variations. Off the top of my head: - getElementById is not necessary; for example, use getElementsByName - checkbox/radio + createTextRange is not the only way of triggering the bug - infinite obfuscation using eval() - infinite obfuscation using document.write() _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
