---------- Forwarded message ---------- From: Ven Ted <[email protected]> Date: Mon, Dec 6, 2010 at 8:31 PM Subject: Re: [Full-disclosure] verizon vs m$ To: John Lightfoot <[email protected]>
"the payload can create a web server listening on any port on the loopback interface, even as a limited user at low integrity" I'm only going from what the paper says - but that indicates to me that you create a web server from protected mode, creating an intranet server that didn't previously exist, so you're not pwning anyones intranet, and you don't need to already be running as a medium integrity process to serve the malicious intranet page. On Mon, Dec 6, 2010 at 8:27 PM, John Lightfoot <[email protected]> wrote: > > > <snip> > > Once the initial remote exploit has been used to execute arbitrary code > > </snip> > > > > I think Thor’s point is if your Intranet is pwned such that it’s hosting > remote exploits, you’re already screwed. > > > > It’s a configuration issue, anyway, so it’s easy enough to mitigate > against. My question is why did MS choose to disable Protected Mode by > default in the Local Internet Zone? I’ve only run across one application > that won’t run in Protected Mode, it seems like it should be on by default > for all zones. > > > > > > On Mon, Dec 6, 2010 at 1:49 AM, Thor (Hammer of God) <[email protected]> > wrote: > > I don't understand how Dan arrived at "Researchers bypass Internet Explorer > Protected Mode" for the article title. Protected Mode isn't being bypassed > at all - the "researchers that figured out a reliable way to bypass the > measure" apparently just noticed that Protected Mode is disabled by default > in the Local Intranet Zone. > > Is this something you are concerned about? This would obviously only be > exploitable by accessing sites on one's own intranet by specifically using > intranet nomenclature (and trusted sites, but the user has to add those). > Also, the article (or the researchers) are incorrect about the default > settings for the Intranet zone - it's Medium-low, not Medium. If the > problem one is trying to fix is based on attackers compromising intranet > sites and then posting code for unpatched vulnerabilities that would still > end up only running in the user context, then you've got much bigger > problems, no? > > I'm just wondering why you are brining attention to the article, or really, > why it was written in the first place. > > t > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Georgi Guninski > Sent: Sunday, December 05, 2010 1:26 PM > To: [email protected] > Subject: [Full-disclosure] verizon vs m$ > > in a world like this, verizon kills exploder bugs: > > http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/ > > http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf > > the language doesn't seem passionate: > ----- > Finally, Microsoft and other software vendors should clearly document which > features do and do not have associated security claims. Clearly stating > which features make security claims, and which do not, will allow informed > decisions to be made on IT security issues. > ----- > > lol > > -- > joro > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
