IE 9 hacked with two 0-day vulnerabilities

Discussion in 'Anti-Virus' started by Virus Guy, Mar 10, 2012.

  1. Virus Guy

    Virus Guy Guest

    Again, more bullshit use of the term "0 day".

    It's a newly discovered IE vulnerability. It will still be a
    vulnerability a year from now if it's not patched. And it's still a
    vulnerability for anyone that doesn't have the patch.

    0-day my ass.

    So today it's a "zero-day" vulnerability. Does that mean that tommorrow
    it will be a "one-day" vulnerability, and a week from today it will be a
    "7-day" vulnerability"?

    I dare anyone to explain the usefullness or logic of the term "x-day" in
    this context.

    And - Windows 98 will still not be exploitable by it.

    ========================

    http://news.hitb.org/content/pwn2own-2012-ie-9-hacked-two-0day-vulnerabilities

    Microsoft’s Internet Explorer 9 browser has fallen.

    A team of French researchers exploited two different IE zero-day flaws
    to break into a fully patched Windows 7 SP1 machine and take an almost
    unassailable lead in this year’s CanSecWest Pwn2Own competition.

    The hacking team, from French security research outfit VUPEN, used an
    unpatched heap overflow bug to bypass DEP and ASLR and a separate memory
    corruption flaw to break out of the browser’s Protected Mode sandbox.
    The code execution attack, which required no user action beyond browsing
    to a rigged web site, also works on Internet Explorer v10 (consumer
    preview) running on Windows 8.
     
    Virus Guy, Mar 10, 2012
    #1
    1. Advertisements

  2. Virus Guy

    Virus Guy Guest

    But it can only be "zero-day" for just ONE DAY! The "zero" day. !

    ===========
    http://www.msnbc.msn.com/id/46681839/ns/technology_and_science-security/

    On March 8, researchers from the French security firm Vupen exploited
    two bugs, an unpatched heap overflow flaw and a memory-corruption
    vulnerability, to crack Microsoft's IE9 Web browser and run code outside
    the sandbox
    ===========

    So - was this a "zero-day" vulnerability as of March 8?

    ===============
    VUPEN will give up the rights to only one of the IE bugs. “We’re only
    giving up the heap overflow. We will keep the Protected Mode bypass
    private for our customers,” Bekrar said.

    He said VUPEN used two researchers working for six weeks on a full-time
    basis to craft the IE 9 exploit for Pwn2Own.

    “This one was difficult. When you have to combine many vulnerabilities
    and bypass all these protections, it takes a longer time,” he said,
    noting that his team came to Vancouver with zero-day flaws for every
    browser on every operating system.
    ===============

    Again with the zero-day bullshit terminology.

    So technically it was a zero-day vulnerability 7 weeks ago - yes? Which
    means that right now it can only be described as a "7-week"
    vulnerability today - yes?

    Or does this mean it can still be called a "zero-day" vulnerability
    today ( March 9)? What about on March 19? Or May 9?

    When does a "zero-day" vulnerability lose it's "zero-day" status?
    I know the thread, but I don't think I really got a satisfactory or
    logical explanation at the time.

    ============
    Bekrar said the code execution attack also works on old versions like
    IE6
    ============

    How much you want to bet that the exploit falls flat on it's face when
    exposed to a win-98/IE6 system?

    Where can I find an on-line link that will expose my system to a POC
    version of this exploit and cause it to run calc.exe?

    Is this the same (or a different) IE9 vulnerability:

    http://seclists.org/bugtraq/2011/Oct/131

    ??????????????

    If that is a different vulnerability, then why is this being hyped at
    CanSecWest by being called the FIRST IE-9 vulnerability?

    ===========
    Explaining the two-stage IE 9 attack, Bekrar said the first
    vulnerability was used to execute first-stage shellcode. ”In this
    first-stage shellcode, we included a second exploit. [Then] we move the
    code execution from low integrity level to medium integrity level and
    bypass the Protected Mode sandbox.”

    Bekrar said his team has found “many vulnerabilities in Protected Mode”
    that are all unpatched. ”We used a memory corruption vulnerability in
    the way Protected Mode is implemented but we have found many more
    vulnerabilities there.”

    He said VUPEN’s motive for participating in Pwn2Own was to prove that a
    dedicated hacker can bypass all security protections, even on the newest
    operating systems. ”We want to show that we can.”
    =============

    Where are the NT appologists?

    Where are all you psycophants for the NT-based OS's?

    What do you have to say about your precious, so-called "superior"
    operating system? Where is your so-called "security".

    Windows NT: Woven from the finest, most delicate and expensive code (so
    fine that you almost really can't see it).

    Windows 9x/me: Looks around, points a finger and laughs at NT.

    Microsoft: "If it works, it's not complicated enough!"
     
    Virus Guy, Mar 10, 2012
    #2
    1. Advertisements

  3. Virus Guy

    Dustin Guest

    It's still exploitable by a trick attributed to me. :) Basically win98 has
    no file level security. I can be executed from one file and place myself
    into ALL of your files in seconds. Windows NT based systems can prevent me
    from doing that. win9x/me can't. If your AV doesn't know me, I 0wn you
    right then, your mine, all mine. Under an NT system using the proper user
    and file permissions, toadie/irok can easily be contained. You have no
    such containment ability without an av protecting you.

    Really, win98 offers you no security advantage over NT. No, some new
    trojans won't properly run, but everything else still will. Just fine, in
    fact.
     
    Dustin, Mar 10, 2012
    #3
  4. Virus Guy

    Virus Guy Guest

    What's the CVE number?
    How are you going to get an executable file onto my system AND execute
    it in the first place?
     
    Virus Guy, Mar 10, 2012
    #4
  5. Virus Guy

    Shadow Guest

    Only two?
    Nice to see they are improving.
    :)
    []'s
     
    Shadow, Mar 11, 2012
    #5
  6. That has already been explained to you.

    [...]
     
    FromTheRafters, Mar 11, 2012
    #6
  7. It helps people to understand how there can be a successful attack
    against a "fully patched" system. If it wasn't a zero-day exploit, then
    you weren't really "fully patched".

    It can still be a (relatively) "new bug" for some time after the
    vulnerability is patched, but it can no longer be a zero-day
    vulnerability or exploit once the patch is made available.
     
    FromTheRafters, Mar 11, 2012
    #7
  8. Nah, it just means before day one.

    [...]
    On day one. It can be zero-day for *years* before being brought to light.

    [...]
     
    FromTheRafters, Mar 11, 2012
    #8
  9. Virus Guy

    Dustin Guest

    Don't have one handy for you. You are welcome to peruse vx.netlux.org. I'm
    credited as the one who discovered the fact windows nt systems will let
    you combine multiple exes into one. You smash the PE header and you load,
    you restore it later, windows lets you if you appear to be dos based.

    Basically you extend the mz stub and keep windows from seeing the PE
    section. Windows will execute YOUR code, you can bring the real PE back
    online whenever you want.

    I know it's beyond you, but I couldn't resist sharing anyway.
    Doesn't apply. You claimed win9x is more secure and it's not.
     
    Dustin, Mar 11, 2012
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.