I can't think of anything offhand that would be on every machine either, but a couple of possibilities spring to mind for targeted attacks (actually a broad sweep, followed by targeted attacks depending on what you find during the sweep)
Grab the windows index file and parse it to find file names/locations. (don't know how possible/exploitable this is; it just came to mind). This, of course, only works if the drive is indexed. Might be possible for other popular indexing programs too (Google desktop, etc). Quicken and/or Quickbooks use well known file names that are generally in specific locations. Jeff On Thu, Feb 4, 2010 at 3:35 PM, Carl Houseman <c.house...@gmail.com> wrote: > For a targeted attack, that could be a concern, but for a widespread > attack that would harvest exploitable information from tens of thousands of > computers, not so much. > > > > *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] > *Sent:* Thursday, February 04, 2010 3:24 PM > > *To:* NT System Admin Issues > *Subject:* RE: IE info-disclosure bug disclosed at Black Hat > > > > You could pull ntuser.dat and read a fair amount of juiciness about where > to find some specific file. > > > > *From:* Carl Houseman [mailto:c.house...@gmail.com] > *Sent:* Thursday, February 04, 2010 1:44 PM > > *To:* NT System Admin Issues > *Subject:* RE: IE info-disclosure bug disclosed at Black Hat > > > > That's a well known folder, not a well known file. Exposure of folder > contents does not appear to be included in this flaw. > > > > Again, name a well known *data file *(a specific file that exists for > nearly every Windows installation of that Windows version) that could lead > to critical harm if disclosed to an attacker. > > > > > > *From:* Jonathan Link [mailto:jonathan.l...@gmail.com] > *Sent:* Thursday, February 04, 2010 2:34 PM > *To:* NT System Admin Issues > *Subject:* Re: IE info-disclosure bug disclosed at Black Hat > > > > c:\documents and settings\<user>\My Documents > > c:\users\<user>\Documents > > > > Many companies, especially small companies store their data here. Our > users for the most part store data here for staging purposes when they are > out in the field performing an audit. Eventually it gets cleaned out when > incorporated into our engagement management software. > > > > > > On Thu, Feb 4, 2010 at 1:42 PM, Carl Houseman <c.house...@gmail.com> > wrote: > > Secunia doesn't seem to think it's that critical, certainly not in the same > league as system-takeover problems. > > Name any well known data file on my computer that would cause me "super > critical" harm if disclosed. Don't bother with the local SAM, they can have > it, since there's no remote access via a local account. > > Carl > > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > > Sent: Thursday, February 04, 2010 12:29 PM > To: NT System Admin Issues > Subject: Re: IE info-disclosure bug disclosed at Black Hat > > Super critical, because paths to many well-known data files are always the > same. > > On Thu, Feb 4, 2010 at 09:10, Carl Houseman <c.house...@gmail.com> wrote: > > It's not IE6, it's any version of IE that's not in "protected mode" (so, > any > > version of IE on XP, and or an elevated or UAC-disabled IE under > Vista/7). > > > > Seems not that super-critical since exploit must know a complete path to > a > > specific file that's going to be revealed. > > > > Carl > > > > -----Original Message----- > > From: Angus Scott-Fleming [mailto:angu...@geoapps.com] > > Sent: Thursday, February 04, 2010 11:57 AM > > To: NT System Admin Issues > > Subject: IE info-disclosure bug disclosed at Black Hat > > > > > MSRC bulletin released, MS Security Advisory released, ZDNet Zero-Day has > a > > story. > > > > An information-leakage problem in Internet Explorer has been disclosed > > at > > this week's Black Hat conference. It seems that if you use Internet > > Explorer to surf the Internet, the Bad Guys can now read ANY FILE on > > your > > hard drive. Details and info on a Microsoft-issued "FixIt" solution > are > > > > in the latest blog entry at http://geoapps.blogspot.com/ -- so if you > > use > > IE, especially IE6, please go read up on this and get patching. > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
