Zero-Day Internet Explorer Exploit Published
|
Nov. 22, 2009, 01:08 PM
Post: #1
|
|||
|
|||
Zero-Day Internet Explorer Exploit Published
Does sidki's filter set set protect against this?
http://www.symantec.com/connect/blogs/ze...-published Quote:A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer. Here is the code from BugTraq: Code: <!-- Thanks in advance. |
|||
Nov. 22, 2009, 02:13 PM
Post: #2
|
|||
|
|||
RE: Zero-Day Internet Explorer Exploit Published
I saved the code you posted as an *.html page and ran it on one of my Apache servers.
My anti-virus effectively stops it (while trying to save the code to an html page and when loading the page in a browser), but the latest Sidki out-of-the-box does not block it. I tried enabling a few non-default web filters to see if they would stop it, but the only one that I found effective was the Header Filter, "! |||||||||||| 7.1 Block all Scripts 07.03.20 [sd] (o.3) (Out)". Here's an excerpt of the debug output with stock settings using the latest beta: Code: <script> And here's the same excerpt with the aforementioned Header Filter activated: Code: <Match: <script> Block: All Scripts 08.11.18 (cch!) [srl] (d.0) > This was a quick-and-dirty test, so my analysis is subject to being ripped apart. |
|||
Nov. 22, 2009, 02:32 PM
Post: #3
|
|||
|
|||
RE: Zero-Day Internet Explorer Exploit Published
Thanks for testing this, ProxoDent!
Now that I think of it, I have a filter which does the job nicely: Code: Name = "<script>: Remove Obfuscated Code" This is a modified version of a filter which was discussed in 2008, I believe. |
|||
Nov. 22, 2009, 02:41 PM
Post: #4
|
|||
|
|||
RE: Zero-Day Internet Explorer Exploit Published
(Nov. 22, 2009 02:32 PM)DarthTrader Wrote: Thanks for testing this, ProxoDent! Yes. That does it: Code: <script> |
|||
Nov. 22, 2009, 09:41 PM
Post: #5
|
|||
|
|||
RE: Zero-Day Internet Explorer Exploit Published
Yes don't use Infected Explorer
|
|||
Nov. 22, 2009, 10:12 PM
Post: #6
|
|||
|
|||
RE: Zero-Day Internet Explorer Exploit Published
(Nov. 22, 2009 02:32 PM)DarthTrader Wrote: Thanks for testing this, ProxoDent! Unfortunatelly, this filter also breaks a lot of others, for example : http://www.youtube.com/watch?v=bU7j97ZIGdQ |
|||
Nov. 22, 2009, 11:32 PM
Post: #7
|
|||
|
|||
RE: Zero-Day Internet Explorer Exploit Published
Changing this:
Code: "|(%|\\x)([a-f0-9])+{2}" Code: "|(%|\\x)([a-f0-9])+{4}" Thanks for the heads up! |
|||
« Next Oldest | Next Newest »
|