> -----Original Message----- > From: Thor Larholm [EMAIL PROTECTED] > Sent: Thu, 11 Sep 2003 16:02:11 -0700 > Subject: [Full-Disclosure] Internet explorer 6 on windows XP > allows exection of arbitrary code >
> > The new addition here is abusing how you are able to load a > ressource file, residing in a local security zone, into a > window object. Service Pack 1 for IE6 did a lot to deter this > on most regular window objects, but should have extended that > effort to searchpanes as well. Seeing as the content of a > search pane can be any registered COM extension to IE, > perhaps more should be done to completely separate these from > the reach of ordinary scripting. > > Combining the mediabar ressource loading with the > file-protocol proxy demonstrates just how effectively one can > combine several vulnerabilities to achieve a higher level of > automation in planting and executing files. The media bar > ressource loading, and any other ressource loading technique, > can be combined with any other cross-domain scripting > vulnerability to achieve the same result. > > We will definitely see more combinatorial vulnerabilities in > the time to come. As Jelmer noted, these have been around. Http-Equiv's latest zero day this past week was as pure of a combination as you can get... As he noted. [Interesting Note: Not long after this he added the greymagic version of the variant of my object tag bug... People have apparently forgotten that even Dave Ahmad - Bugtraq moderator Unix security guy - had the first variant on that bug. So, there is another variant apparently no one else knows about until now. Whoop dee doo. ] [I am just glad people didn't call my 'object data bug', " the wrongly called object data bug" because a variant was found. Uggh. I look up that old object tag bug used in this latest zero day... everywhere they have it called "the wrongly called popup bug".] [I should have called the bug the "fried green tomato bug". I can call an advisory whatever I want... and I always expect there to be more variants or issues involved in it.] [Lastly, with this latest "object type bug", it is often confused with the "object data bug". This is due recompense. Entirely different bugs. Very few people apparently realize this. One is a buffer overflow, one is input validation bug. Very big difference.] ... One thing can be difficult in these regards, though, is needing to use two different bugs to have one final output. This can be difficult to release if the vendor wishes to release the two bugs in different fixes. But, I only recall these types of issues being released without concern for the vendor's time to fix. With all of the open bugs that have just been made... There are probably many, many variants. Some of these may be combinations. There are probably expansions to some of these bugs. Maybe some are more serious then originally thought. There is definitely some very interesting stuff in these. Very clever attacks. The days of buffer overflows are getting shorter and shorter... But bugs that mean remote compromise are here to stay for a very long time. > > > Regards > Thor Larholm > PivX Solutions, LLC - Senior Security Researcher http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities ----- Original Message ----- From: "jelmer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, September 11, 2003 3:31 PM Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code > Internet explorer 6 on windows XP allows exection of arbitrary code > > DESCRIPTION : > > Yesterday Liu Die Yu released a number series of advisories concerning > internet explorer by combining on of these issues with an earlier > issue I myself reported a while back > You can construct a specially crafted webpage that can take any action on a > users system > including but not limited to, installing trojans, keyloggers, wiping > the users harddrive etc. <snip http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
