[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-Disclosure] RE: new internet explorer exploit (was new worm)
From: "Drew Copley" <dcopley () eeye ! com>
Date: 2004-03-30 18:59:41
Message-ID: 81637804AB36A644BBDE3ED9DD4E73FDC66677 () hermes ! eCompany ! gov
[Download RAW message or body]
> -----Original Message-----
> From: Berend-Jan Wever [mailto:SkyLined@edup.tudelft.nl]
> Sent: Monday, March 29, 2004 3:35 PM
> To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
> Subject: Re: new internet explorer exploit (was new worm)
>
> ----- Original Message -----
> From: "Drew Copley" <dcopley@eeye.com>
> > Yeah. It is a zero day worm, and it is very notable as such.
> >
> > I can not recall a previous zero day worm. (AV is not my
> job, but I do
> > try and follow zero day.)
> >
> > Hence, IE has birthed us the first zero day worm.
> >
> > We should be thankful it was not coded better, because it could have
> > caused some really serious problems. A hundred thousand systems is
> > really a low target when you consider 94% of all browsers
> being used are
> > IE and the internet population is around the 400 million figure.
>
> Just be thankfull the guy didn't take the time to find a 0day
> xss issues in
> webbased e-mail services like hotmail/yahoo/etc... I still
> wonder why these
> have not been exploited by email virii: They're not that hard
> to find (check
> your archives) and it's just too easy to code a small worm in
> javascript for
> these sites (I know from experience).
Yeah, we have one with Yahoo in pending. Though, it was a bit difficult
to find. (It has not be added to our upcoming advisory list, yet.)
In fact, I am good friends with several of the guys who found the last
ones... Dror Shalev and http-equiv. (Never really talked to Greymagic,
just by chance, I suppose.)
These are top bugfinders, though, and they are very skilled people. I do
not dismiss the skills of any of the people who have found these bugs...
but I do believe there are more in there.
> The only propagation
> limiting problem
> is that all trafic goes through centralized servers which can
> be easily
> updated (check your archives for site-specific responds
> times). But if you
> combine it with your regular e-mail worm techniques, you can be sure
> propagation continues after that fix.
Right, I find these security holes extremely alarming. In fact, I
accidentally flamed a bug finder once because I thought he posted Yahoo
zero day... and I am known as a guy that is patient and apologetic for
those who post zero day without going to the vendor first. (Because I
know all too well, for one thing, that they don't have to post it at
all.)
And, I know what it feels like to have this Yahoo zero day in my pocket
here. It is a dangerous thing.
That's why this business is so much funner then writing database
programs.
>
> Cheers,
> SkyLined
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic