Re: [funsec] MSIE 6/7/8 unpatched vulnerability confirmed

Fri, 15 Jan 2010 03:51:46 -0800 

What I want to know about this incident is why some (F-Secure and especially 
iDefense) were claiming with confidence yesterday that a PDF with the most 
recent exploit was the main attack vector. Now Adobe and McAfee are saying 
there's no actual evidence a PDF was involved. I have a lot of links in here:

http://blogs.pcmag.com/securitywatch/2010/01/new_ie_0-day_not_acrobat_named.php

McAfee appears to be the original identifiers of the IE 0-day. iDefense, on the 
other hand, seems to have gotten their information at least partly from 
"sources in the defense contracting and intelligence consulting community": 
http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars

Lots more links, especially McAfee links, here: 
http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html

Larry Seltzer
Contributing Editor, PC Magazine
[email protected] 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: [email protected] [mailto:[email protected]] On 
Behalf Of Juha-Matti Laurio
Sent: Friday, January 15, 2010 5:08 AM
To: Paul Ferguson
Cc: [email protected]
Subject: Re: [funsec] MSIE 6/7/8 unpatched vulnerability confirmed

Very good points and references. I'll reply later today.
MSIE vulnerability is Extremely Critical SA38209 now:
http://secunia.com/advisories/38209/2/

Juha-Matti

Paul Ferguson [[email protected]] kirjoitti: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, Jan 15, 2010 at 12:51 AM, Juha-Matti Laurio
> <[email protected]> wrote:
> 
> > http://www.microsoft.com/technet/security/advisory/979352.mspx
> >
> > This is the 0-day vulnerability used in Google China attack.
> >
> 
> Minor Correction: This is the 0-Day used in *some* of the Chinese targeted
> attacks.
> 
> This appears to be a multi-pronged attack -- other organizations in the
> past week or so have also been targeted via e-mail with malicious
> attachments.
> 
> I would be hard-pressed to say that *all* of the targeted attacks *only*
> employed the IE heap-spray 0-Day vulnerability/exploit, since it appears
> that some of the other targeted organizations were targeted with e-mail
> containing malicious attachments, e.g. the law firm (Gipson Hoffman &
> Pancione) that is suing China over the CyberSitter code theft being used in
> Green Dam:
> 
> http://blogs.zdnet.com/BTL/?p=29533
> http://www.theregister.co.uk/2010/01/15/cybersitter_law_firm_attack/
> 
> Also, we have seen these same tactics used (malicious attachments in e-mail
> disguised as legitimate communiqués) before when targeting Tibetan support
> groups. It is quite possible (although not all the details are yet known)
> that this was also recently used against a local (to me) Stanford student
> is a regional coordinator of Students for a Free Tibet:
> 
> http://www.mercurynews.com/ci_14195105
> 
> So, it is *quite possible* that this was a series of attacks, where the IE
> 0-Day discovered by McAfee was used on *some* of the targeted victims and
> others were compromised by malicious e-mail attachments  we have seen
> several undetected, booby-trapped .PDF exploits in the past week, including
> this one described this morning over at the SANS Internet Storm Center:
> 
> http://isc.sans.org/diary.html?storyid=7984
> 
> And also Julia @ FireEye has this excellent post up tonight:
> 
> http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html
> 
> I think it is dangerous, from a defense perspective, to say "This is
> responsible for that" when there are clearly several different things
> happening here -- instead of looking for quick explanation, everyone should
> step back and observe that there are several critical paths to compromise
> at work here.
> 
> $.02,
> 
> - - ferg
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.3 (Build 5003)
> 
> wj8DBQFLUDgDq1pz9mNUZTMRAq6UAJ9LTD94zBMBm/1XpiH89PnO/Ok45gCdEhWq
> nDMfkF9noJ91vueOk8Bj6kI=
> =rfh4
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawgster(at)gmail.com
>  ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Reply via email to