[Dshield] Exploit for IE vulnerability (MS05-038) appears same day as patch

Frank Knobbe frank at knobbe.us
Wed Aug 10 04:57:06 GMT 2005


On Tue, 2005-08-09 at 23:46 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 09 Aug 2005 23:51:10 -0000, "Fergie (Paul Ferguson)" said:
> > Well, I'd recmmend that users patch this hole immediately, because over on
> > FrSIRT, an exploit for this vulnerabilty has already shown up. Details on both
> > below.
> 
> Does anybody outside Microsoft's PR department *really* believe these exploits
> are reverse-engineered from the patch?  I suspect we're going to see a lot of
> PoC's coming in for a landing now that a patch is available, reducing the 0-day's
> effectiveness...

I think it's safe to assume that these exploits have already been used
in the Underground but have become worthless now that the cat is out of
the bag and everyone is dutifully patching their systems. And hence the
useless scripts bubble to the surface on K-otik, or are sold for *cough*
"top dollars" *cough* to places like iDefense or 3Com.

So, wait a second... doesn't that make them 21-days or something like
that? Doesn't seem much 0-day to me... or do they start counting at say
-45 in the Underground?

Cheers,
Frank

-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20050809/e719c8d6/attachment.bin


More information about the list mailing list