"I just discovered a major flaw which affects all operating systems ever made, but I'm not saying where it is. I could get into your PC in seconds if I want to." -- Malory the non-FD hacker
On Mon, Jan 25, 2010 at 10:28 AM, Berend-Jan Wever <[email protected] > wrote: > How about rebranding to ZID, as in Zero Information Disclosures? > > > Berend-Jan Wever <[email protected]> > http://skypher.com/SkyLined > > > > > On Thu, Jan 21, 2010 at 9:07 PM, ZDI Disclosures < > [email protected]> wrote: > >> ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update >> Remote Code Execution Vulnerability >> http://www.zerodayinitiative.com/advisories/ZDI-10-011 >> January 21, 2010 >> >> -- CVE ID: >> CVE-2010-0244 >> >> -- Affected Vendors: >> Microsoft >> >> -- Affected Products: >> Microsoft Internet Explorer >> >> -- Vulnerability Details: >> This vulnerability allows remote attackers to execute arbitrary code on >> vulnerable installations of Microsoft Internet Explorer. User >> interaction is required to exploit this vulnerability in that the target >> must visit a malicious page. >> >> The specific flaw exists when a Col element is used within an HTML table >> container. If this element is removed while the table is in use a cache >> that exists of the table's cells will be used after one of it's elements >> has been invalidated. This can lead to code execution under the context >> of the currently logged in user. >> >> -- Vendor Response: >> Microsoft has issued an update to correct this vulnerability. More >> details can be found at: >> >> http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx >> >> -- Disclosure Timeline: >> 2009-07-14 - Vulnerability reported to vendor >> 2010-01-21 - Coordinated public release of advisory >> >> -- Credit: >> This vulnerability was discovered by: >> * wushi of team509 >> >> -- About the Zero Day Initiative (ZDI): >> Established by TippingPoint, The Zero Day Initiative (ZDI) represents >> a best-of-breed model for rewarding security researchers for responsibly >> disclosing discovered vulnerabilities. >> >> Researchers interested in getting paid for their security research >> through the ZDI can find more information and sign-up at: >> >> http://www.zerodayinitiative.com >> >> The ZDI is unique in how the acquired vulnerability information is >> used. TippingPoint does not re-sell the vulnerability details or any >> exploit code. Instead, upon notifying the affected product vendor, >> TippingPoint provides its customers with zero day protection through >> its intrusion prevention technology. Explicit details regarding the >> specifics of the vulnerability are not exposed to any parties until >> an official vendor patch is publicly available. Furthermore, with the >> altruistic aim of helping to secure a broader user base, TippingPoint >> provides this vulnerability information confidentially to security >> vendors (including competitors) who have a vulnerability protection or >> mitigation product. >> >> Our vulnerability disclosure policy is available online at: >> >> http://www.zerodayinitiative.com/advisories/disclosure_policy/ >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
