Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Exploit against MS07-033 being used in the wild

Published: 2007-06-23
Last Updated: 2007-06-23 15:29:36 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)

The Symantec folks identified a website exploiting a bug from this months Microsoft patches, specifically the Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability.  Here is the URL to their blog entry:

http://www.symantec.com/enterprise/security_response/weblog/2007/06/deepsight_honeynet_detects_obf.html

Apparently, the actual exploit is similar to the proof of concept code posted on a popular exploit site ten days ago.

Keywords:
0 comment(s)

More Hostile Advertisement Filtering

Published: 2007-06-23
Last Updated: 2007-06-23 13:41:50 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Yesterday we published a diary about blocking active code in banner ads.  Adrian wrote to us to provide additional information on some of the tools he uses. 

Adblock plus is a blacklisting mechanism. It is useful for blocking images and all sorts of ads, when you know exactly what the URLs for those are, or you can make a reasonable wildcard for, but in the end it won't catch everything, and most importantly, it won't catch everything THE FIRST TIME. You have to know it to block it, and that means loading it at least once.

This is where NoScript comes in, it turns the javascript trust mechanism upside down, using whitelisting instead. So, instead of allowing everything by default, it blocks everything by default (and that means flash, javascript, java, etc), and you can decide EXACTLY which sites you allow content to come from and be executed.

https://addons.mozilla.org/en-US/firefox/addon/722

If a web page pulls down javascript code from more than one place you can decide if you allow or deny javascript for each site that JS code is referenced from.  This means you can allow javascript to be executed for a page you know it's safe and at the same time block javascript from anywhere else that's referenced on that page.

NoScript + AdBlock plus +adblock filter subscriptions (i.e. self-updating) are a great way of filtering junk that's out there, and are working great as a team.
http://noscript.net/faq#qa1_4

Other filters to consider:

EasyElement+Easylist
http://easylist.adblockplus.org/easyelement+easylist.txt

ABP Tracking filter
http://easylist.adblockplus.org/abp-tracking-filter.txt

RO List (for filtering ads on Romanian sites)
http://www.picpoc.ro/menetzrolist.txt

Jamie Plucinski's filter list
http://www.jamieplucinski.com/adblock/subscription.php


Thanks, Adrian!

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives