[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
- To: "'adam'" <adam@xxxxxxxxx>, "security@xxxxxxxxxxxxxxxxx" <security@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
- From: Michael Schmidt <mschmidt@xxxxxxxxxxxxx>
- Date: Thu, 15 Sep 2011 23:11:13 +0000
Someone’s just not reading the bulletins – Note the term “Remote” – including
webdav, so a share that could be fully controlled by the exploiter. At least
that is what I am understanding.
Updates released on September 13, 2011
Microsoft Security Bulletin MS11-071, "Vulnerability in Windows Components
Could Allow Remote Code Execution," provides support for vulnerable components
of Microsoft Windows that are affected by the Insecure Library Loading class of
vulnerabilities described in this advisory.
Microsoft Security Bulletin MS11-073, "Vulnerabilities in Microsoft Office
Could Allow Remote Code Execution," provides support for vulnerable components
of Microsoft Office that are affected by the Insecure Library Loading class of
vulnerabilities described in this advisory.
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of adam
Sent: Thursday, September 15, 2011 3:27 PM
To: security@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
>>I'm afraid you don't fully understand the issue. This is not about placing
>>your own
>>DLL on a local machine so that a chosen application will load it (i.e., user
>>"attacking" an application on his own computer).
I'm not sure you understood the point. That being, whether the user knowingly
or unknowingly loads the "malicious" DLL - the application will be effected the
same either way. To that point: it's been possible for over a decade (and
perhaps even longer) so pretending that it's some brand new threat that needs
to be dealt with immediately is foolish.
>>possibly on a remote share - and executing its code (i.e., attacker with zero
>>privileges on user's computer executing code on that computer).
Zero privileges? So having write access to a share that the user accesses/loads
files from - what do you call that? This is a social engineering attack -
absolutely nothing more.
On a related note: have you also contacted Linus about LD_PRELOAD?
On Thu, Sep 15, 2011 at 5:05 PM, ACROS Security Lists
<lists@xxxxxxxx<mailto:lists@xxxxxxxx>> wrote:
Hi Adam,
I'm afraid you don't fully understand the issue. This is not about placing your
own
DLL on a local machine so that a chosen application will load it (i.e., user
"attacking" an application on his own computer). It is about an application
running
on your computer silently grabbing a malicious DLL from attacker-controlled
location
- possibly on a remote share - and executing its code (i.e., attacker with zero
privileges on user's computer executing code on that computer).
I hope this helps a little.
Cheers,
Mitja
> -----Original Message-----
> From: iarethebest@xxxxxxxxx<mailto:iarethebest@xxxxxxxxx>
> [mailto:iarethebest@xxxxxxxxx<mailto:iarethebest@xxxxxxxxx>] On
> Behalf Of adam
> Sent: Thursday, September 15, 2011 11:26 PM
> To: Thor (Hammer of God)
> Cc: security@xxxxxxxxxxxxxxxxx<mailto:security@xxxxxxxxxxxxxxxxx>; Christian
> Sciberras;
> full-disclosure@xxxxxxxxxxxxxxxxx<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>;
> bugtraq@xxxxxxxxxxxxxxxxx<mailto:bugtraq@xxxxxxxxxxxxxxxxx>
> Subject: Re: [Full-disclosure] Microsoft's Binary Planting
> Clean-Up Mission
>
> Plus: pretending that you're on the same page as Microsoft
> (from a security standpoint) to further your own argument is
> more damaging than it is beneficial. The entire "binary
> planting" concept was flawed from the very beginning. If you
> can drop a binary file on a user's machine - make it an
> executable and be done with it. There's nothing fancy or
> innovative about forcing applications to use specific DLLs -
> script kiddies have been doing it for over 10 years to inject
> custom code in multiplayer games.
>
> On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God)
> <thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote:
>
>
> I'm curious. Who is your contact at MSFT? Who is it
> that has told you they have a "Binary Planting Clean-up
> Mission" and where do they mention you as having anything to
> do with it?
>
> If you are going to claim MSFT's actions as substantive
> to your agenda, how about provide some details?
>
> t
>
> > -----Original Message-----
> > From: ACROS Security Lists
> [mailto:lists@xxxxxxxx<mailto:lists@xxxxxxxx>]
> > Sent: Thursday, September 15, 2011 1:41 PM
> > To: 'Christian Sciberras'
> > Cc: Thor (Hammer of God);
> full-disclosure@xxxxxxxxxxxxxxxxx<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>;
> > bugtraq@xxxxxxxxxxxxxxxxx<mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>
> > Subject: RE: [Full-disclosure] Microsoft's Binary
> Planting Clean-Up Mission
> >
>
> > Hey Chris,
> >
> > > I bet Microsoft actually like stating they just
> fixed yet another
> > > severe bug.
> > > Zero-day fixing is big business, you know....even if "zero"
> > > is past a few "days".
> >
> > I don't think Microsoft gains much from being able to
> say they fixed yet
> > another bug
> > - maybe if it were a bug they found internally and
> fixed proactively, but not
> > like this. And I'm sure they'd rather be doing
> something else than fixing:
> > fixing a product costs a lot, and it generates no revenue.
> >
> > Cheers,
> > Mitja
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/