[Dshield] IE 0day

Discussion Lists discussions at lagraphico.com
Tue Nov 22 15:51:46 GMT 2005


"Contrary to popular beliefs, the aforementioned security issue is
susceptible to remote, arbitrary code execution, yielding full system
access with the privileges of the underlying user."

Meaning any damage caused as a result can be contained by making sure
that IE is run with user privs at the highest right?  Obviously admin
privs would be dangerous, but normal user privs should not allow it to
write to sensitive dirs, is that correct?

Thanks!

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Orlando Richards
> Sent: Tuesday, November 22, 2005 1:06 AM
> To: 'General DShield Discussion List'
> Subject: Re: [Dshield] IE 0day
> 
> 
> Finally got it to work on my IE (XPSP2, active scripting 
> enabled) - it took a few tries though. Maybe I wasn't being 
> patient enough - or perhaps the computerterrorism.com web 
> server was having trouble serving up the goods. 
> 
> Disabling scripting stops the site working. Amusingly though, 
> if you select "prompt" for active scripting, the prompt says: 
> "Scripts are usually safe. Do you want to allow scripts to run?"
> 
> I can't imagine any regular user would think twice about 
> clicking "Yes" when faced with that.
> 
> As I discovered in the ISC diary today, there's an MS alert: 
> http://www.microsoft.com/technet/security/advisory/911302.mspx
> and we're at infocon yellow because of it!
> 
> As an aside - it also seems to very effectively crash my 
> Firefox (1.0.7).
> 
> --
> Orlando.
> 
> > I haven't tested it but there is more information on the
> > discoverer's site.
> > 
> > http://www.computerterrorism.com/research/ie/ct21-11-2005
> > 
> > 4. TEMPORARY SOLUTION
> > 
> > Until a patch is developed, users are advised to disable
> > active scripting
> > for non-trusted sites.
> > 
> > 
> > ==================================================
> > David Taylor //Sr. Information Security Specialist
> > University of Pennsylvania Information Security
> > Philadelphia PA USA
> > (215) 898-1236
> > http://www.upenn.edu/computing/security/
> > ================================================== 
> > 
> > SANS - The Twenty Most Critical Internet Security Vulnerabilities
> > http://www.sans.org/top20/
> > 
> > SANS - Internet Storm Center
> > http://isc.sans.org
> > 
> > irc.freenode.net #dshielders
> > http://freenode.net/
> > 
> > 
> > 
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org
> > [mailto:list-bounces at lists.dshield.org]
> > On Behalf Of Faber, Sidney
> > Sent: Monday, November 21, 2005 10:12 AM
> > To: list at lists.dshield.org
> > Subject: [Dshield] IE 0day
> > 
> > 
> > Has anyone been able to confirm any info about this IE remote code 
> > execution 0day reported by FrSIRT?  Can anyone recommend a 
> reasonable 
> > defense?
> > 
> > http://www.frsirt.com/exploits/20051121.IEWindow0day.php
> > 
> > 
> > 
> > One of these IE 0days back in 2004 ushered in the new era 
> of spyware 
> > infestation, I hope it doesn't happen again...
> > 
> > Thanks!
> > sid
> > 
> > 
> > ___________________
> > Sid Faber
> > Federated Investors
> > Information Security
> > sfaber at federatedinv.com
> > 412-288-7427
> > 
> > 
> > 
> > Communication systems of Federated Investors, Inc. and its
> > affiliates are
> > for Federated business use only and are the property of Federated.
> > Federated reserves the right to review all messages on its 
> > systems for any
> > purpose at any time and without any prior notification.  
> > Information on the
> > systems may be reviewed by supervisors and senior management, 
> > provided by
> > Federated to regulators or law enforcement agencies, or 
> used for other
> > purposes consistent with Federated's business interests.
> > 
> > The contents of this message may be confidential and legally
> > privileged.  If
> > you have received this message in error, please notify us 
> > immediately by
> > e-mail at notify at federatedinv.com and then delete this 
> > message from your
> > system.  Please do not copy it or use it for any purposes, or 
> > disclose its
> > contents to any other person.  To do so could violate state 
> > and Federal
> > privacy laws.  Thank you for your cooperation.
> > 
> > _________________________________________
> > Using .Net? Need to know more about .Net Security? 
> > http://isc.sans.org/banner_count.php?dest=dotnet
> > 
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see: 
> > http://www.dshield.org/mailman/listinfo/list
> > 
> > 
> > _________________________________________
> > Using .Net? Need to know more about .Net Security? 
> > http://isc.sans.org/banner_count.php?dest=dotnet
> > 
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > 
> 
> 
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list