Re: [funsec] MSIE 6/7/8 unpatched vulnerability confirmed

[Juha-Matti Laurio]

According to SANS ISC the exploit code has been made public:
http://isc.sans.org/diary.html?storyid=8002

Juha-Matti

Larry Seltzer [la...@larryseltzer.com] kirjoitti: 
> What I want to know about this incident is why some (F-Secure and especially 
> iDefense) were claiming with confidence yesterday that a PDF with the most 
> recent exploit was the main attack vector. Now Adobe and McAfee are saying 
> there's no actual evidence a PDF was involved. I have a lot of links in here:
> 
> http://blogs.pcmag.com/securitywatch/2010/01/new_ie_0-day_not_acrobat_named.php
> 
> McAfee appears to be the original identifiers of the IE 0-day. iDefense, on 
> the other hand, seems to have gotten their information at least partly from 
> "sources in the defense contracting and intelligence consulting community": 
> http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars
> 
> Lots more links, especially McAfee links, here: 
> http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html
> 
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_selt...@ziffdavis.com 
> http://blogs.pcmag.com/securitywatch/
> 
> 
> -----Original Message-----
> From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] On 
> Behalf Of Juha-Matti Laurio
> Sent: Friday, January 15, 2010 5:08 AM
> To: Paul Ferguson
> Cc: funsec@linuxbox.org
> Subject: Re: [funsec] MSIE 6/7/8 unpatched vulnerability confirmed
> 
> Very good points and references. I'll reply later today.
> MSIE vulnerability is Extremely Critical SA38209 now:
> http://secunia.com/advisories/38209/2/
> 
> Juha-Matti
> 
> Paul Ferguson [fergdawgs...@gmail.com] kirjoitti: 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Fri, Jan 15, 2010 at 12:51 AM, Juha-Matti Laurio
> > <juha-matti.lau...@netti.fi> wrote:
> > 
> > > http://www.microsoft.com/technet/security/advisory/979352.mspx
> > >
> > > This is the 0-day vulnerability used in Google China attack.
> > >
> > 
> > Minor Correction: This is the 0-Day used in *some* of the Chinese targeted
> > attacks.
> > 
> > This appears to be a multi-pronged attack -- other organizations in the
> > past week or so have also been targeted via e-mail with malicious
> > attachments.
> > 
> > I would be hard-pressed to say that *all* of the targeted attacks *only*
> > employed the IE heap-spray 0-Day vulnerability/exploit, since it appears
> > that some of the other targeted organizations were targeted with e-mail
> > containing malicious attachments, e.g. the law firm (Gipson Hoffman &
> > Pancione) that is suing China over the CyberSitter code theft being used in
> > Green Dam:
> > 
> > http://blogs.zdnet.com/BTL/?p=29533
> > http://www.theregister.co.uk/2010/01/15/cybersitter_law_firm_attack/
> > 
> > Also, we have seen these same tactics used (malicious attachments in e-mail
> > disguised as legitimate communiqués) before when targeting Tibetan support
> > groups. It is quite possible (although not all the details are yet known)
> > that this was also recently used against a local (to me) Stanford student
> > is a regional coordinator of Students for a Free Tibet:
> > 
> > http://www.mercurynews.com/ci_14195105
> > 
> > So, it is *quite possible* that this was a series of attacks, where the IE
> > 0-Day discovered by McAfee was used on *some* of the targeted victims and
> > others were compromised by malicious e-mail attachments  we have seen
> > several undetected, booby-trapped .PDF exploits in the past week, including
> > this one described this morning over at the SANS Internet Storm Center:
> > 
> > http://isc.sans.org/diary.html?storyid=7984
> > 
> > And also Julia @ FireEye has this excellent post up tonight:
> > 
> > http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html
> > 
> > I think it is dangerous, from a defense perspective, to say "This is
> > responsible for that" when there are clearly several different things
> > happening here -- instead of looking for quick explanation, everyone should
> > step back and observe that there are several critical paths to compromise
> > at work here.
> > 
> > $.02,
> > 
> > - - ferg
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Desktop 9.5.3 (Build 5003)
> > 
> > wj8DBQFLUDgDq1pz9mNUZTMRAq6UAJ9LTD94zBMBm/1XpiH89PnO/Ok45gCdEhWq
> > nDMfkF9noJ91vueOk8Bj6kI=
> > =rfh4
> > -----END PGP SIGNATURE-----
> > 
> > 
> > -- 
> > "Fergie", a.k.a. Paul Ferguson
> >  Engineering Architecture for the Internet
> >  fergdawgster(at)gmail.com
> >  ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.