Although this ms-its exploit has been around ,the
true author of finding this is an UNKNOWN author. I remember when it was
_reported_ by Thor but he did not take credit. As for it being
0-day. It sure is. None of microsofts's patches stop it nor did
Norton AntiVirus Corp. I have no idea who you are Gadi to give such
comments like that.
Michael Evanchik
----- Original Message -----
Sent: Monday, June 07, 2004 4:47 PM
Subject: [Full-Disclosure] Re: Internet
explorer 6 execution of arbitrary code (An analysis of the 180 Solutions
Trojan)
Comments inline.
Jelmer wrote:
> Just when I
though it was save to once more use internet explorer I received
> an
email bringing my attention to this webpage
> http://216.130.188.219/ei2/installer.htm
that according to him used an
> exploit that affected fully patched
internet explorer 6 browsers. Being
> rather skeptical I carelessly
clicked on the link only to witness how it
> automatically installed
addware on my pc!!!
So, you just clicked on the link which was reported
as unsafe, did you? :)
Those protocol handlers always seem to cause
problems and it's not just
on Windows, Apple has had just as many problems
in dealing with these
for OS X. If it's not a lack of input validation
then it is a lack of
zone restrictions, perhaps the entire concept of
higher privileged zones
of any kind should be abandoned.
Are these
really new vulnerabilities or just variants of old? The
"Location: URL:"
proxy really just looks like the "Location: File:"
proxy that Liu Die Yu
reported and the object caching stuff really just
looks like a variation
of the advisories from GreyMagic back in 2002
with the showModalDialog
caching and _javascript_: injection. Other than
those 2, the only real
vulnerability on the page is the Ibiza chm stuff
which still works on
plenty of fully patched machines.
> Now there had been reports about
0day exploits making rounds for quite some
> time like for instance this
post
>
> http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0
Why is this a 0-day? Are you trying to start a holy war here? Please
explain why this is a 0-day if you make such claims.
> However I
hadn't seen any evidence to support this up until now
> Thor Larholm as
usual added to the confusion by deliberately spreading
> disinformation
as seen in this post
>
> http://seclists.org/lists/bugtraq/2004/May/0153.html
Thor?
Spreading disinformation?
> Attributing it to and I quote "just one
of the remaining IE vulnerabilities
> that are not yet
patched"
That sounds about right.
> I’ve attempted to write
up an analysis that will show that there are at
> least 2 new and AFAIK
unpublished vulnerabilities (feel free to proof me
> wrong) out there in
the wild, one being fairly sophisticated
I, personally, appreciate any
serious research work, but why put down a
colleague while you're at
it?
> You can view it at:
>
> http://62.131.86.111/analysis.htm
>
> Additionally you can view a harmless demonstration of the
vulnerabilities at
>
> http://62.131.86.111/security/idiots/repro/installer.htm
>
> Finally I also attached the source files to this message
If
this really was a 0-day, isn't that a tad irresponsible?
As to
Thor...
You are claiming that he is deliberately spreading
disinformation, but
then you proceed to verify his claims.
Are you
sure you don't just have a personal vendetta against him?
I don't see
what's wrong with him pitching his product (Quik-Fix (?))
when reporting
his research. That's how the industry work.
You do research and
advertise the company that did it, and what solution
it offers.
Working
for free doesn't put food on the table and he has a product that
might
actually protects against such issues. What's next, you will
complain
about AV companies who say they detect a virus or security
researchers
that get paid to work instead of living off the street
credit from the
security mailing lists? Maybe you just don't like
companies of any
kind.
As to the research itself...
Thor went through the
hnc3k.com website and listed all the pages and
vulnerabilities on it,
which sounds like an exhaustive task to me. But
didn't you do the same and
when analyzing the 180 solutions Trojan
pages? It sounds pretty exhaustive
as well.
The difference is that Thor also told you how to protect
against this,
by locking down the My Computer zone. I can't see anywhere
that Thor was
referring to the object caching vulnerability you are
listing as new. In
my mind, he was referring to the old Unpatched page
that he used to
maintain and that would mean he said some of those are
still not patched.
I miss that page. It was very good.
We know
that Ibiza still works and that there are still problems with
the SSL
certificate handling in IE, don't you think he was just
referring to
those? From this side it really just looks as if you are
trying to deal a
low blow against Mr. Larholm because you have some
personal grudge against
him.
I hope I provided you with information to re-think your claims.
Also,
please try and keep your grudges to yourself where 50K plus busy
people
need to sift through vital information?
Gadi
Evron.
--
Email: [EMAIL PROTECTED]. Work: [EMAIL PROTECTED]. Backup: [EMAIL PROTECTED].
Phone: +972-50-428610
(Cell).
PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID:
0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06
GPG
key for encrypted email:
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID:
0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7
D450
_______________________________________________
Full-Disclosure
- We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
