Re: [Full-disclosure] Technical Details of Security Issues Regarding Safari for Windows
Errata -- The PNG graphic can't be reached directly. Can be viewed by following link in the aforementioned blog entry: http://liudieyu0.blog124.fc2.com/blog-entry-5.html On Wed, Jun 11, 2008 at 5:17 PM, LIUDIEYU dot COM <[EMAIL PROTECTED]> wrote: > Aviv really gave huge hint on the issue: > http://blog-imgs-24.fc2.com/l/i/u/liudieyu0/0001.png > ( posted at http://liudieyu0.blog124.fc2.com/blog-entry-5.html ) > > On Tue, Jun 10, 2008 at 10:28 PM, LIUDIEYU dot COM > <[EMAIL PROTECTED]> wrote: >> The first issue is the one described in Microsoft Security Advisory >> 953818. It's worked out by Aviv Raff: >> http://www.microsoft.com/technet/security/advisory/953818.mspx >> http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx >> It's covered by news but Aviv Raff has not published technical details >> yet. News stories say Microsoft are going to handle this: "The >> Internet Explorer bulletin is expected to be cumulative and might >> include some remediation for the Safari for Windows vulnerability >> disclosed last month by Nitesh Dhanjani" >> http://news.cnet.com/8301-10789_3-9959752-57.html?part=rss&subj=news&tag=2547-1_3-0-20 >> (It should be Aviv Raff instead of Nitesh Dhanjani, as suggested in >> the Microsoft security advisory and Aviv Raff's blog.) >> Also it sounds unnatural that Microsoft provide remediation for Safari >> vulnerability, and that remediation is distributed in IE patch. I >> provide the technical details of this issue for those who are >> interested: >> http://liudieyu0.blog124.fc2.com/blog-entry-1.html >> In my personal opinion this issue is rooted in IE wrongly loading DLL >> from desktop(instead of WINDOWS\SYSTEM32). >> >> The second issue is about the possibility that Safari can download >> malicious content that has confusing file name and icon which might be >> launched later by unknowing user. Details are here: >> "A New Security Issue in Safari for Windows, NOT the "Blended Threat" >> Described in Microsoft Security Advisory 953818" >> http://liudieyu0.blog124.fc2.com/blog-entry-3.html >> In the post I say the main concern comes from LNK(shortcut file). Of >> course EXE can also be a concern if file name extension is hidden. But >> most people I know do have file name extension displayed in Windows. >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Technical Details of Security Issues Regarding Safari for Windows
Aviv really gave huge hint on the issue: http://blog-imgs-24.fc2.com/l/i/u/liudieyu0/0001.png ( posted at http://liudieyu0.blog124.fc2.com/blog-entry-5.html ) On Tue, Jun 10, 2008 at 10:28 PM, LIUDIEYU dot COM <[EMAIL PROTECTED]> wrote: > The first issue is the one described in Microsoft Security Advisory > 953818. It's worked out by Aviv Raff: > http://www.microsoft.com/technet/security/advisory/953818.mspx > http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx > It's covered by news but Aviv Raff has not published technical details > yet. News stories say Microsoft are going to handle this: "The > Internet Explorer bulletin is expected to be cumulative and might > include some remediation for the Safari for Windows vulnerability > disclosed last month by Nitesh Dhanjani" > http://news.cnet.com/8301-10789_3-9959752-57.html?part=rss&subj=news&tag=2547-1_3-0-20 > (It should be Aviv Raff instead of Nitesh Dhanjani, as suggested in > the Microsoft security advisory and Aviv Raff's blog.) > Also it sounds unnatural that Microsoft provide remediation for Safari > vulnerability, and that remediation is distributed in IE patch. I > provide the technical details of this issue for those who are > interested: > http://liudieyu0.blog124.fc2.com/blog-entry-1.html > In my personal opinion this issue is rooted in IE wrongly loading DLL > from desktop(instead of WINDOWS\SYSTEM32). > > The second issue is about the possibility that Safari can download > malicious content that has confusing file name and icon which might be > launched later by unknowing user. Details are here: > "A New Security Issue in Safari for Windows, NOT the "Blended Threat" > Described in Microsoft Security Advisory 953818" > http://liudieyu0.blog124.fc2.com/blog-entry-3.html > In the post I say the main concern comes from LNK(shortcut file). Of > course EXE can also be a concern if file name extension is hidden. But > most people I know do have file name extension displayed in Windows. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Technical Details of Security Issues Regarding Safari for Windows
The first issue is the one described in Microsoft Security Advisory 953818. It's worked out by Aviv Raff: http://www.microsoft.com/technet/security/advisory/953818.mspx http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx It's covered by news but Aviv Raff has not published technical details yet. News stories say Microsoft are going to handle this: "The Internet Explorer bulletin is expected to be cumulative and might include some remediation for the Safari for Windows vulnerability disclosed last month by Nitesh Dhanjani" http://news.cnet.com/8301-10789_3-9959752-57.html?part=rss&subj=news&tag=2547-1_3-0-20 (It should be Aviv Raff instead of Nitesh Dhanjani, as suggested in the Microsoft security advisory and Aviv Raff's blog.) Also it sounds unnatural that Microsoft provide remediation for Safari vulnerability, and that remediation is distributed in IE patch. I provide the technical details of this issue for those who are interested: http://liudieyu0.blog124.fc2.com/blog-entry-1.html In my personal opinion this issue is rooted in IE wrongly loading DLL from desktop(instead of WINDOWS\SYSTEM32). The second issue is about the possibility that Safari can download malicious content that has confusing file name and icon which might be launched later by unknowing user. Details are here: "A New Security Issue in Safari for Windows, NOT the "Blended Threat" Described in Microsoft Security Advisory 953818" http://liudieyu0.blog124.fc2.com/blog-entry-3.html In the post I say the main concern comes from LNK(shortcut file). Of course EXE can also be a concern if file name extension is hidden. But most people I know do have file name extension displayed in Windows. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] the hysteria on pangolin.exe
unpack it with upx and all the false positives are gone, exactly as zwell noted. antivirus is never accurate. 6326120a66269f8f42aa91b76c8c237c pangolin.exe dea13ad95c43c04165acc53bf7eedfa6 pangolin.exe.upx-d 6326120a66269f8f42aa91b76c8c237c http://www.virustotal.com/analisis/0603d534b0128bf81ec57a8ab00e145c dea13ad95c43c04165acc53bf7eedfa6 http://www.virustotal.com/analisis/b9d55c751d5eed7b34cda3fe708b1bd7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer 0day exploit
Well said. This class of attack has been known for a long time - got public in 2004 as Paul's links indicated. Since then it's widely understood and heavily assessed ... mms: mailto: HCP: notes: etc. Thor's finding is a surprise - years passed and an extremely simple vector of attack still works in IE. On 7/10/07, Paul Szabo <[EMAIL PROTECTED]> wrote: > Thor Larholm wrote: > > > There is a URL protocol handler command injection vulnerability ... > > http://larholm.com/2007/07/10/internet-explorer-0day-exploit/ > > I wonder whether this is essentially different from: > > Microsoft Internet Explorer 6 Protocol Handler Vulnerability > http://www.securityfocus.com/archive/1/370959 > http://www.securityfocus.com/archive/1/371061 > http://lists.grok.org.uk/pipermail/full-disclosure/2004-August/024833.html > > Please enlighten. > > Thanks, > > Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of SydneyAustralia > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
fulldisclosure and ntbugtraq added, also available on my blog. -- Forwarded message -- From: LIUDIEYU dot COM <[EMAIL PROTECTED]> Date: Oct 29, 2006 1:50 AM Subject: Re: IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006 To: Reversemode <[EMAIL PROTECTED]> Cc: Securityfocus If you have read "IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006" then please ignore this message for in it I offer no further view on this topic. A gentleman has chanllenged me with several questions on bugtraq and as an old-fashioned Chinese man it is impolite to avoid answering in such circumstances. Sorry for the delay caused not thru my fault, Mister Reversemode, here is my reply to your question marks: Q1 I assume that bugtraq is an objective security list. Subjective opinions? I do not think so. A1 I just heard you said "From a security researcher standpoint", "So let's imagine", "What would happen if you have to" blah blah, etc. "objective"? You are not confused with these two jectives are you? Q2 From a security researcher standpoint, the important thing is where the flaw is located, since your products/company could be exposing the flawed component through a bunch of attack vectors. So let's imagine that Microsoft had released an advisory just saying that the culprit is Internet Explorer ONLY. It wouldn't be very funny if you are using that mhtml component within your own product, since you would think: "Ok, no problem, IE is vulnerable ONLY". What would happen if you have to write down a vulnerability report on it? A2 "What would happen" ... honestly I don't know. Per your request as "bugtraq is an objective security list", can you name one example product other than IE that demonstrates "using that mhtml component" "wouldn't be very funny"? Q3: Attack vectors != vulnerabilities For example, is a vuln within the Quicktime Browser plugin the same that a flaw within the own IE? I don't think so. I am not defending Microsoft. I am defending that every vendor/researcher should release proper advisories, i.e (...) A3: In this specific "For example" case you don't have to defend Microsoft. It's Apple who need your defense, if hopefully it involves something not Apple branded. Mister Reversemode, you have further concerns to express publicly over bugtraq regarding this topic brought up by me, you are welcome to ask me and I'll reply accordingly, but you do understand I might not be available for a 3rd reply to your message. Liu Die Yu 28 OCT 06 On 10/28/06, Reversemode <[EMAIL PROTECTED]> wrote: > >"Let me sum up: in this case IE is vulnerable, only IE is vulnerable, > > and Microsoft say "These reports are technically inaccurate: the issue > > concerned in these reports is not in Internet Explorer 7 (or any other > > version) at all". > > I assume that bugtraq is an objective security list. Subjective > opinions? I do not think so. > > If you post saying "X" product is vulnerable, you should be able to > demonstrate it. From a security researcher standpoint, the important > thing is where the flaw is located, since your products/company could be > exposing the flawed component through a bunch of attack vectors. > So let's imagine that Microsoft had released an advisory just saying > that the culprit is Internet Explorer ONLY. It wouldn't be very funny if > you are using that mhtml component within your own product, since you > would think: "Ok, no problem, IE is vulnerable ONLY". What would happen > if you have to write down a vulnerability report on it?. > > Btw, you have censored an important part of the original "advisory" for > your own profit : > > > >"Let me sum up: in this case IE is vulnerable, only IE is vulnerable, > > and Microsoft say "These reports are technically inaccurate: the issue > > concerned in these reports is not in Internet Explorer 7 (or any other > > version) at all" -> "Rather, it is in a different Windows component, > specifically a component in Outlook Express. While these reports use > Internet Explorer as a vector the vulnerability itself is in Outlook > Express" > " > > > Attack vectors != vulnerabilities > > For example, is a vuln within the Quicktime Browser plugin the same > that a flaw within the own IE? I don't think so. > > I am not defending Microsoft. I am defending that every > vendor/researcher should release proper advisories, i.e When Microsoft > hid information in a security bulletin few months ago,( NtClose > DeadLock issue/MS06-30), I posted to the list objective technical > details dem
[Full-disclosure] IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006
Upon IE7 release, Secunia published SA22477 titled `Internet Explorer 7 "mhtml:" Redirection Information Disclosure`. Here I figured a straightforward demo - navigate IE7 to: * mhtml:http://www.google.com/url?q=http://www.yahoo.com/ Google redirects to Yahoo, Yahoo content is loaded, but browser location is not updated. Microsoft blogs assure vulnerability brought up by Secunia is not in IE7, technically, rather, it's Outlook Express; and as usual, words of Microsoft were well honored by several public media sources. Microsoft do not even send the slightest comment that IE is a source of problem - despite there involves cross-domain data compromise, HTTP redirection, ActiveX(DOM also works) ... all in all, when this attack happens, it got to be IE and no other. Let me sum up: in this case IE is vulnerable, only IE is vulnerable, and Microsoft say "These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all". Upon seeing "mhtml:", it reminds of a magnificent historic incident which also involved "mhtml:" -- an IE exploit so perfectly and widely utilized that it made CERT suggest "Use a different web browser"(CERT KB VU#323070), and firstly initiated the boom of Firefox. Of course Microsoft is unlikely to say technically this is also not IE's problem. At last allow me to put an off-topic yet sentimental complain ... Quite a while ago, when I got IE exploits and Secunia broadcasted about them, my name was in every news report; This month same situation, codedreamer - original finder of the "mhtml:" thing broadcasted by Secunia - was not properly given credit ... no mentioning in news reports, no mentioning in the famous first ever IE7 advisory SA22477, codedreamer made the whole thing yet Secunia gave but one single line of credit in bottom of demo "The test is based on Proof of Concept code by codedreamer". Let me say I'm a man who believes in paying respect, thus I made this little complain, paying my respect to codedreamer. Best Wishes for All Firefox Surfers and Firefox 2.0 Liu Die Yu 25 OCT 06 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/