[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fwd: verizon vs m$
- To: Ven Ted <v3nt3d@xxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Fwd: verizon vs m$
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Date: Mon, 6 Dec 2010 20:49:11 +0000
Yeah, I didn't mean to suggest that you were personally backing up that
statement - the point being danced over in the paper is the "just create a web
server in protected mode sourced from the Internet." It's analogous to "just
break into someone's house and find the Brinks cellular-based alarm control
unit and you can do a faraday wrap to prevent the signal from going out."
I guess the real question is "why do I care what these people think." You
would think that after all the stupid security tricks I've seen discussed in
this industry that I would have better learned to covert the ignorance to the
ignored. One last note (to the list) - I got an email somewhat critical of
Dan (the author of the article) and want to make sure it is understood that I'm
not claiming that HE came up with a deceptive title - that's something the
editors of El Reg do. I've had many an article originally written for Security
Focus have its title changed when shared at the Reg. One of note was an
article changed to a title of "Users Should Get a Freaking Clue" which I never
said - it does, however, drive ad clicks.
t
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Ven Ted
Sent: Monday, December 06, 2010 12:33 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Fwd: verizon vs m$
---------- Forwarded message ----------
From: Ven Ted <v3nt3d@xxxxxxxxxxxxxx<mailto:v3nt3d@xxxxxxxxxxxxxx>>
Date: Mon, Dec 6, 2010 at 8:31 PM
Subject: Re: [Full-disclosure] verizon vs m$
To: John Lightfoot <jlightfoot@xxxxxxxxx<mailto:jlightfoot@xxxxxxxxx>>
"the payload can create a web server listening on any port on the loopback
interface, even as a limited user at low integrity"
I'm only going from what the paper says - but that indicates to me that you
create a web server from protected mode, creating an intranet server that
didn't previously exist, so you're not pwning anyones intranet, and you don't
need to already be running as a medium integrity process to serve the malicious
intranet page.
On Mon, Dec 6, 2010 at 8:27 PM, John Lightfoot
<jlightfoot@xxxxxxxxx<mailto:jlightfoot@xxxxxxxxx>> wrote:
<snip>
Once the initial remote exploit has been used to execute arbitrary code
</snip>
I think Thor's point is if your Intranet is pwned such that it's hosting remote
exploits, you're already screwed.
It's a configuration issue, anyway, so it's easy enough to mitigate against.
My question is why did MS choose to disable Protected Mode by default in the
Local Internet Zone? I've only run across one application that won't run in
Protected Mode, it seems like it should be on by default for all zones.
On Mon, Dec 6, 2010 at 1:49 AM, Thor (Hammer of God)
<thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote:
I don't understand how Dan arrived at "Researchers bypass Internet Explorer
Protected Mode" for the article title. Protected Mode isn't being bypassed at
all - the "researchers that figured out a reliable way to bypass the measure"
apparently just noticed that Protected Mode is disabled by default in the Local
Intranet Zone.
Is this something you are concerned about? This would obviously only be
exploitable by accessing sites on one's own intranet by specifically using
intranet nomenclature (and trusted sites, but the user has to add those).
Also, the article (or the researchers) are incorrect about the default settings
for the Intranet zone - it's Medium-low, not Medium. If the problem one is
trying to fix is based on attackers compromising intranet sites and then
posting code for unpatched vulnerabilities that would still end up only running
in the user context, then you've got much bigger problems, no?
I'm just wondering why you are brining attention to the article, or really, why
it was written in the first place.
t
-----Original Message-----
From:
full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>]
On Behalf Of Georgi Guninski
Sent: Sunday, December 05, 2010 1:26 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] verizon vs m$
in a world like this, verizon kills exploder bugs:
http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/
http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf
the language doesn't seem passionate:
-----
Finally, Microsoft and other software vendors should clearly document which
features do and do not have associated security claims. Clearly stating which
features make security claims, and which do not, will allow informed decisions
to be made on IT security issues.
-----
lol
--
joro
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/