Yay! Another really bad exploit in IE found!

Pyro Pilots Lounge. For all topics *not* covered in other DBB forums.

Moderators: fliptw, roid

Post Reply
MD-2389
Defender of the Night
Defender of the Night
Posts: 13477
Joined: Thu Nov 05, 1998 12:01 pm
Location: Olathe, KS
Contact:

Yay! Another really bad exploit in IE found!

Post by MD-2389 »

http://slashdot.org/articles/04/01/28/2 ... &tid=172&t id=185&tid=190&tid=201

"Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

Show of hands here....how many are really suprised? Image With **** like this happening, its a small wonder why people continue to use Idiot Exploiter...

Get yourself cured
User avatar
Mobius
DBB_Master
DBB_Master
Posts: 7940
Joined: Sun Jun 03, 2001 2:01 am
Location: Christchurch, New Zealand
Contact:

Post by Mobius »

LOL @ Idiot Explorer! Image
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6539
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Post by Jeff250 »

The only problem with the majority of Mozilla's vulnerabilities is that nobody's found them yet. Image
User avatar
Mobius
DBB_Master
DBB_Master
Posts: 7940
Joined: Sun Jun 03, 2001 2:01 am
Location: Christchurch, New Zealand
Contact:

Post by Mobius »

Ipso Facto - they aren't a problem! Image
Birdseye
DBB DemiGod
DBB DemiGod
Posts: 3655
Joined: Thu Nov 05, 1998 12:01 pm
Location: Oakland, CA

Post by Birdseye »

I haven't used mozilla because file new doesn't create a copy of your existing window... anyone know a command to duplicate the browser you are looking at?
User avatar
Nitrofox125
DBB Admiral
DBB Admiral
Posts: 1848
Joined: Sun Jul 07, 2002 2:01 am
Location: Colorado Springs, CO, USA
Contact:

Post by Nitrofox125 »

There's something in the settings of every browser: "On new window a) Go to homepage or Image Stay at current page" or w/e
User avatar
Lothar
DBB Ghost Admin
DBB Ghost Admin
Posts: 12133
Joined: Thu Nov 05, 1998 12:01 pm
Location: I'm so glad to be home
Contact:

Post by Lothar »

file - new - navigator window doesn't give you a new window?
MD-2389
Defender of the Night
Defender of the Night
Posts: 13477
Joined: Thu Nov 05, 1998 12:01 pm
Location: Olathe, KS
Contact:

Post by MD-2389 »

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Lothar:
file - new - navigator window doesn't give you a new window?</font><HR></BLOCKQUOTE>

He's referring to Mozilla not doing a new window like IE does. (brings up the current page in the new window) Which, IMO, is a very good thing since I always found that an extremely annoying "feature" of IE.

However, don't fret Birds because I've found exactly the way to do that. Go into your preferences and click on Navigator. Click the pulldown menu and select "New Window". Then click on "Last Page Visited". Then click OK and you're good to go.

Image
User avatar
Top Wop
DBB Master
DBB Master
Posts: 5104
Joined: Wed Mar 01, 2000 3:01 am
Location: Far from you.
Contact:

Post by Top Wop »

Gimmie a W00t for Firebird!
MD-2389
Defender of the Night
Defender of the Night
Posts: 13477
Joined: Thu Nov 05, 1998 12:01 pm
Location: Olathe, KS
Contact:

Post by MD-2389 »

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Jeff250:
The only problem with the majority of Mozilla's vulnerabilities is that nobody's found them yet. Image</font><HR></BLOCKQUOTE>

But when they are found, they're actually fixed. Image Fixing bugs in their browser doesn't appear to be MS policy anymore.
User avatar
fliptw
DBB DemiGod
DBB DemiGod
Posts: 6459
Joined: Sat Oct 24, 1998 2:01 am
Location: Calgary Alberta Canada

Post by fliptw »

One need to remember that IE is based in NSCA Mosiac... they just went and added stuff to that browser over the years.

Mozilla itself is a fairly young codebase, and being cross platform, isn't as tightly integrated as IE is. so the nature of exploits and their impact between the two are like apples and oranges.
User avatar
fliptw
DBB DemiGod
DBB DemiGod
Posts: 6459
Joined: Sat Oct 24, 1998 2:01 am
Location: Calgary Alberta Canada

Post by fliptw »

MS provides a work around.
Birdseye
DBB DemiGod
DBB DemiGod
Posts: 3655
Joined: Thu Nov 05, 1998 12:01 pm
Location: Oakland, CA

Post by Birdseye »

Thanks MD! I think I will give Mozilla another run. I preferred its password auto-fill in (some places I had two accounts, and it remembered either and let me choose, example being paypal)
User avatar
fliptw
DBB DemiGod
DBB DemiGod
Posts: 6459
Joined: Sat Oct 24, 1998 2:01 am
Location: Calgary Alberta Canada

Post by fliptw »

and tells us about the upcoming patch
User avatar
JMEaT
DBB Meat ByProduct
DBB Meat ByProduct
Posts: 10047
Joined: Wed Mar 10, 1999 3:01 am
Location: USA

Post by JMEaT »

browser wars are so lame...
User avatar
DCrazy
DBB Alumni
DBB Alumni
Posts: 8826
Joined: Wed Mar 15, 2000 3:01 am
Location: Seattle

Post by DCrazy »

Wait....... what?! No more <diesmiley>http://us</diesmiley>er:<diesmiley />pass@domain syntax?? Isn't that kind of against the standard? Over time the tradition has been for IE to move (ever slowly) towards standards-compliance.
User avatar
Tetrad
DBB Alumni
DBB Alumni
Posts: 7585
Joined: Thu Nov 05, 1998 12:01 pm
Location: Dallas, TX

Post by Tetrad »

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by fliptw:
and tells us about the upcoming patch</font><HR></BLOCKQUOTE>

Actually looking at this for a few minutes, that patch is for the 'previous' bug mentioned in the first post.

This particular bug is about embedding a CLSID into a filename to make it look like a particular extension when it's something else completely.

If you're running the proxomitron you can put in a filter in that fixes that issue.

[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] (in)"
Match = "\1{\2}\3&$ALERT(*** WARNING ***\nIE Attachment-Spoof Exploit
Detected!\n\n\1{\2}\3)($CONFIRM(Allow only the attachment below? (Safest action
= NO)\n\n\1\3)|$SET(1=\k)$SET(3=))"
Replace = "\1\3"

or if you don't want dialog boxes

In = TRUE
Out = FALSE
Key = "Content-Disposition: Attachment Spoof removal"
Match = "(*)\1{*}(*)\2"
Replace = "\1\2"

This still causes it to display a different filename, but the file will not execute with the given CLSID properties (instead using the spoofed ones), thereby blocking the exploit, without removing correct Content-Disposition handling. I.e. if somebody gives you a link to an .exe, renamed to .pdf, with the .exe clsid, it'll open in acrobat instead of just running.
User avatar
Tetrad
DBB Alumni
DBB Alumni
Posts: 7585
Joined: Thu Nov 05, 1998 12:01 pm
Location: Dallas, TX

Post by Tetrad »

User avatar
Viralphrame
DBB Ace
DBB Ace
Posts: 419
Joined: Thu Jan 30, 2003 3:01 am
Contact:

Post by Viralphrame »

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by JMEaT:
browser wars are so lame...</font><HR></BLOCKQUOTE>

I love you. Image Image
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6539
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Post by Jeff250 »

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by DCrazy:
Wait....... what?! No more <diesmiley>http://us</diesmiley>er:<diesmiley />pass@domain syntax?? Isn't that kind of against the standard? Over time the tradition has been for IE to move (ever slowly) towards standards-compliance.</font><HR></BLOCKQUOTE>

I can't recall a time I've ever used that for HTTP.
User avatar
Tyranny
DBB Defender
DBB Defender
Posts: 3399
Joined: Sun Nov 10, 2002 3:01 am
Location: Phoenix, Arizona

Post by Tyranny »

It came in handy for logging in to certain sites if you had permissions to access those sites in the first place. So instead of getting a dialog box once you typed in the regular url going to the site where you'd have to enter in the information to view it, the information would already be given to the site via the url using that syntax.
User avatar
Tetrad
DBB Alumni
DBB Alumni
Posts: 7585
Joined: Thu Nov 05, 1998 12:01 pm
Location: Dallas, TX

Post by Tetrad »

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Jeff250:
I can't recall a time I've ever used that for HTTP.</font><HR></BLOCKQUOTE>

It's used a lot on the porn site password hax0r pages.
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6539
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Post by Jeff250 »

lol ok Image
User avatar
roid
DBB Master
DBB Master
Posts: 9996
Joined: Sun Dec 09, 2001 3:01 am
Location: Brisbane, Australia
Contact:

Post by roid »

Birdy and if you want a new TAB to display the page you are currently at in firebird, there is a plugin for that called "clone window". just look for it on the plugins/extensions page.
Post Reply