Zero-day IE exploit...

Discussion in 'Security Software' started by Imhotep, Nov 23, 2005.

  1. Imhotep

    Imhotep Guest

    "Microsoft has expressed concern that this new vulnerability was not
    disclosed to them first, potentially putting users at risk. Although there
    is currently no patch for this vulnerability, disabling Active Scripting or
    switching to an alternate browser such as Mozilla Firefox would effectively
    mitigate the risk."

    I do not believe that there is real malicous code flouting arround for this,
    this has been a known issue since May.....I believe MS has marked it as low
    and as such did nothing about it....typical.

    Imhotep, Nov 23, 2005
    1. Advertisements

  2. You left out the reason why: "The vulnerability targeted by the exploit was
    originally announced in May as a stability issue resulting in the browser

    There are tons of ways an attacker could cause IE or any other browser to
    lock up or shut down, and little reason for an attacker to want to do so. I
    do not at all blame Microsoft for putting this vulnerability on the back
    burner as it was known in May.

    Many vulnerabilities are not fixed right away because Microsoft cannot
    reproduce the vuln, which is the first step towards writing a patch. If the
    finder is not available to work with Microsoft on reproducing the vuln, that
    makes the task harder.

    I could be mistaken, but I understand there is code out there [at the site for example] and that Microsoft has confirmed the code.
    Some people have reported problems getting the exploit code to work,
    suggesting my "Microsoft cannot fix what they cannot repro" theory could be
    Karl Levinson, mvp, Nov 23, 2005
    1. Advertisements

  3. Imhotep

    Imhotep Guest

    I will. Certianlly, someone did not reasearch this vulnability well. They
    slapped and incorrect statement about it being a "low" priority and well,
    put their users and clients where they are now. F'd....but then again, the
    XBox was coming out...
    Well, certainly, oter people can reproduce this sure why MS could
    not... :)
    ....I tested it today and, bang, got a calculator...have you tried?

    In a nutshell, you always try to pu a spin on MS. However, a fact is a fact.
    MS dropped the ball, yet again, but classifiying this as a "low risk" when
    clearly, it is a critical risk...put the blame where it belongs. Microsoft
    screwed everyone clockwork.

    Imhotep, Nov 23, 2005
  4. Let's be clear here... the vuln reported in May was a denial of service, and
    Microsoft correctly prioritized it as such.
    The discussions I've heard in the public are it works for some and not
    others. I believe it's harder to figure out how to turn a denial of service
    vuln into a remote code execution one if it only occurs on certain system
    configurations. Otherwise, the vuln finder might try successful exploit
    code on a system that is not vulnerable and discard it as non-working.

    I'm not saying Microsoft had any trouble reproducing the code that came out
    a few days ago... I'm saying this makes it harder for MS or the original
    finder to turn the DoS into a remote code exploit. It seems likely the
    original finder would have tried to do this and probably only released this
    as a DoS when s/he was unable to do so. S/he also had six months afterwards
    in which to try to turn this into a remote code execution vuln, as did the
    rest of the world.
    I don't always spin things in Microsoft's favor.
    It's a critical risk now that remote code execution is found to be possible.

    If it was so easy for Microsoft to research the denial of service
    vulnerability in May and figure out how to make it exploit code, then why
    didn't anyone else do it? It's not like there's no one on the Internet
    trying to turn IE denial of service vulns into remote code execution vulns.
    I suspect it wasn't as easy as you think. Neither of us are really IE vuln
    finders, so in the end we're both guessing about how easy or hard it may
    have been to research this vuln.

    You may also be thinking that Microsoft could have fixed this six months ago
    had they just fixed the denial of service. That is not necessarily the
    case. It is entirely possible that if they had released a patch for the DoS
    attack, the patch may not have prevented this remote code execution vuln.
    Since MS did not know the details of this remote code execution vuln six
    months ago, they would not have been able to test it against their patch.

    It's also possible that properly fixing this vuln requires a major
    architectural change and that was why they delayed on releasing a patch, we
    don't know.
    karl levinson, mvp, Nov 23, 2005
  5. Imhotep

    Imhotep Guest

    No, let's be crystal clear here. The vulnerability reported in May is the
    SAME vulnerability now. Microsoft did not EVALUATE the security hole
    correctly, and as such, classified it as a "low" instead of a critical. In
    short, MS screwed up and screwed their customers again....

    So, if MS was on the ball, we would not be having this conversation would
    Well, honestly, you are much more apt to try and defend their
    position rather than simply saying MS dropped the ball again.
    No. It always WAS a critical security hole. Microsoft, did not spend much
    time evaluating this security hole. If they have it WOULD NEVER had been
    labled a "low" risk. If they had spent time, they would have seen the
    obvious; that remote code execution is possible.
    The specifics were never released. Maybe, Microsoft should just release the
    specifics of vulnerabilities and let the World tel that which ones to
    patch. Clearly, this would be better than relying on them to produce
    Well, when you are the biggest software company in the World, making how
    many billions a year?, I do expect better....but hey, it takes time and
    resources to put that XBox 3 whatever out...
    So, what you are saying is that Microsoft is incompetent. OK, I will agree
    with that.

    Again, excuses. Face it. Microsoft gets away with this crap because people
    are lazy and do not look for better software from alternate
    companies/sources. People do not hold Microsoft's feet to the fire because
    most people in the IT world are quite ignorant. You pay an extreme amount
    of money for their "solutions" then make feeble excuses trying to pretend
    your "investment" was worth it. All along ignoring the obvious; you just
    got ripped off!

    Imhotep, Nov 23, 2005
  6. Well here's my 2 pennies worth ....

    MS get told of the vulnerability maybe in a cryptic clue, such as there
    is a flaw in there chaps, can you see what it really is, i will give you
    6 months to suss it, after all you do have the source code, and after
    all you have all these security evaluators checking your code, and
    telling the developers how to avoid the pitfalls, but if you can't
    manage to find it with all your extensive facilities and minds, then i
    will make it real clear for you.

    Now i have nothing but respect for the guys who take the time to reverse
    engineer and find these exploits, not because of the damage they can do,
    but for their skills, and i find it a crying shame that many use those
    skills to cause problems, but when you think of the total disregard of
    the EULA committed by these people, and with microsofts policy of being
    heavy handed with legal pursuits, its little wonder that there are few
    who want to work with them to reproduce the failures, its often easier
    to release the flaw and then merge back into the crowd, but with a smug
    grin of satisfaction, and a possible slap on the back from other exploiters.

    All the best guys

    Martin Spencer-Ford
    Martin Spencer-Ford, Nov 24, 2005
  7. Imhotep

    Imhotep Guest

    Every good comments. Microsoft has in many ways caused the current

    Imhotep, Nov 24, 2005
  8. Oh come now. If a vuln finder was really concerned about being sued,
    finding and releasing a vuln without contacting Microsoft increases rather
    than decreases your likelihood of being hassled.

    The vuln finders that ARE worried about being hassled typically stop finding
    and/or releasing vulns publicly, as RFP and others did. They typically do
    NOT release them direct to the public as this vuln finder did, because that
    doesn't really get rid of the risk of being hassled. None of this really
    explains why the vuln was released as a DoS in May and took until November
    before anyone admitted to discovering how to use it to execute code

    While Microsoft has occasionally tried to hassle a few vuln finders for this
    reason or that, other vendors like Cisco and Oracle are much worse than
    Microsoft, in that they actually hassle vuln finders that are working
    responsibly with them.

    Anyways, if it's true as you suggest that this vuln finder did not release
    details about the vuln to Microsoft, then it's absurd to fault Microsoft for
    not independently figuring out the vulnerability.
    karl levinson, mvp, Nov 24, 2005
  9. Imhotep

    Alun Jones Guest

    That's a little optimistic. The reports sent to MSRC are not always clearly
    written, with simple instructions on how to reproduce the problem. Often, a
    crash is reported as a vulnerability, despite the gulf between the two -
    there are many ways to crash a computer without introducing a vulnerability.
    Despite this, every report sent to gets an
    investigation, with an engineer and a security program manager often
    spending several days trying various scenarios that might be able to
    reproduce the original problem, and communicating with the original
    discoverer (where there is a return address) to try and nail down the extent
    of the flaw.
    Microsoft has spent (and continues to spend) a considerable amount of time
    and effort reaching out to exploit discoverers, to allow them to engage with
    Microsoft on a more direct, personal level, rather than the usual
    "big-company" style of having an email drop-box that may, or more likely,
    may not, be responded to.

    If you're going to point out a company as the canonical "bad example", I'd
    say Oracle fits that description far better.

    [Please don't email posters, if a Usenet response is appropriate.]
    Alun Jones, Nov 24, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.