[Dshield] IE 0day

Orlando Richards orlando.richards at ed.ac.uk
Tue Nov 22 09:06:06 GMT 2005


Finally got it to work on my IE (XPSP2, active scripting enabled) - it took
a few tries though. Maybe I wasn't being patient enough - or perhaps the
computerterrorism.com web server was having trouble serving up the goods. 

Disabling scripting stops the site working. Amusingly though, if you select
"prompt" for active scripting, the prompt says: 
"Scripts are usually safe. Do you want to allow scripts to run?"

I can't imagine any regular user would think twice about clicking "Yes" when
faced with that.

As I discovered in the ISC diary today, there's an MS alert:
http://www.microsoft.com/technet/security/advisory/911302.mspx
and we're at infocon yellow because of it!

As an aside - it also seems to very effectively crash my Firefox (1.0.7).

--
Orlando.

> I haven't tested it but there is more information on the 
> discoverer's site.
> 
> http://www.computerterrorism.com/research/ie/ct21-11-2005
> 
> 4. TEMPORARY SOLUTION
> 
> Until a patch is developed, users are advised to disable 
> active scripting
> for non-trusted sites.
> 
> 
> ==================================================
> David Taylor //Sr. Information Security Specialist
> University of Pennsylvania Information Security 
> Philadelphia PA USA
> (215) 898-1236
> http://www.upenn.edu/computing/security/
> ================================================== 
> 
> SANS - The Twenty Most Critical Internet Security Vulnerabilities 
> http://www.sans.org/top20/
> 
> SANS - Internet Storm Center
> http://isc.sans.org
> 
> irc.freenode.net #dshielders
> http://freenode.net/
> 
> 
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Faber, Sidney
> Sent: Monday, November 21, 2005 10:12 AM
> To: list at lists.dshield.org
> Subject: [Dshield] IE 0day
> 
> 
> Has anyone been able to confirm any info about this IE remote code
> execution 0day reported by FrSIRT?  Can anyone recommend a reasonable
> defense?
> 
> http://www.frsirt.com/exploits/20051121.IEWindow0day.php
> 
> 
> 
> One of these IE 0days back in 2004 ushered in the new era of spyware
> infestation, I hope it doesn't happen again...
> 
> Thanks!
> sid
> 
> 
> ___________________
> Sid Faber
> Federated Investors
> Information Security
> sfaber at federatedinv.com
> 412-288-7427
> 
> 
> 
> Communication systems of Federated Investors, Inc. and its 
> affiliates are
> for Federated business use only and are the property of Federated.
> Federated reserves the right to review all messages on its 
> systems for any
> purpose at any time and without any prior notification.  
> Information on the
> systems may be reviewed by supervisors and senior management, 
> provided by
> Federated to regulators or law enforcement agencies, or used for other
> purposes consistent with Federated's business interests.
> 
> The contents of this message may be confidential and legally 
> privileged.  If
> you have received this message in error, please notify us 
> immediately by
> e-mail at notify at federatedinv.com and then delete this 
> message from your
> system.  Please do not copy it or use it for any purposes, or 
> disclose its
> contents to any other person.  To do so could violate state 
> and Federal
> privacy laws.  Thank you for your cooperation.
> 
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list