Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
advertisement
Use Discount Code SANSFIREISC10 when registering to get a 10% discount!!
Use Discount Code SANSFIREISC10 when registering to get a 10% discount!!
Changed Infocon status to Yellow, re: Windows Internet Explorer vulnerability
Published: 2005-11-21,
Last Updated: 2005-11-21 23:18:29 UTC
by Mike Poor (Version: 1)
Last Updated: 2005-11-21 23:18:29 UTC
by Mike Poor (Version: 1)
Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability. Disable Javascript in your Internet Explorer browsers, or switch to another browser. We have received reports that Safari suffers from a DOS condition, but I have not been able to replicate it with Safari running on 10.3 or 10.4 series OSX machines.
Mike Poor
Handler on Duty
Intelguardians
Mike Poor
Handler on Duty
Intelguardians
Keywords:
0 comment(s)Snort Rule released on BleedingSnort for the Windows Javascript vulnerability
Published: 2005-11-21,
Last Updated: 2005-11-21 21:54:22 UTC
by Mike Poor (Version: 1)
Last Updated: 2005-11-21 21:54:22 UTC
by Mike Poor (Version: 1)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet
Explorer Window() Possible Code Execution"; flow:established,from_server;
content:"window"; nocase; pcre:"/[=:'"s]windows*(s*)/i";
reference:url,secunia.com/advisories/15546; \ reference:url,www.computerterrorism.com/research/ie/ct21-11-2005;
reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:1; )
Download it directly from here:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_Internet_Explorer?view=markup
Please let us know about problems with this rule, and/or when you notice sites hosting/performing this exploit.
thanks!
Mike Poor
Handler on Duty
Intelguardians
(msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet
Explorer Window() Possible Code Execution"; flow:established,from_server;
content:"window"; nocase; pcre:"/[=:'"s]windows*(s*)/i";
reference:url,secunia.com/advisories/15546; \ reference:url,www.computerterrorism.com/research/ie/ct21-11-2005;
reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:1; )
Download it directly from here:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_Internet_Explorer?view=markup
Please let us know about problems with this rule, and/or when you notice sites hosting/performing this exploit.
thanks!
Mike Poor
Handler on Duty
Intelguardians
Keywords:
0 comment(s)* Internet Explorer 0-day exploit
Published: 2005-11-21,
Last Updated: 2005-11-21 20:15:54 UTC
by Johannes Ullrich (Version: 4)
Last Updated: 2005-11-21 20:15:54 UTC
by Johannes Ullrich (Version: 4)
the UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.
The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.
The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.
Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).
In addition ot the PoC 'Calculator' exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.
In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.
Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.
The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.
The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.
Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).
In addition ot the PoC 'Calculator' exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.
In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.
Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.
Keywords:
0 comment(s)Comments
Please choose a specific diary above to comment
Diary Archives
