Educause Security Discussion
mailing list archives
Re: 0-day exploit for Internet Explorer in the wild
From: Curt Wilson <curtw () SIU EDU>
Date: Wed, 10 Dec 2008 15:45:11 -0600
Gregory N Pendergast/AC/VCU wrote:
BreakingPoint Labs has a good analysis of the exploit:
Unfortunately, I haven't yet seen any mention of realistic mitigations.
Information Security Analyst
Virginia Commonwealth University
What does 'realistic' mean in this context?
I have not personally tested, however the article mentions manually
enabling DEP for platforms where DEP is opt-in. In the limited attack I
know of so far from the .cn sites, I'm guessing that if the end-stage
binary is not constantly changing or packed with a difficult to handle
packer, AV coverage might be present although again I have not tested.
Of course, that's an after-the-fact and not what you specifically asked
There was a presentation at 2008 BlackHat Las Vegas I believe on
stopping heap spraying attacks, but I'm not sure of the practical
details or implementation.
As far as I can tell, the old standby of "disabling active scripting"
should work. On campus, I recommend people tweak the security zones in
IE, use trusted sites (with active scripting) only when necessary for
internal and/or trusted hosts, disable active scripting elsewhere in IE,
and use another browser for generic web surfing. (firefox + NoScript for
instance). Probably not "realistic" though except for the people that
care enough already.
I am assuming that Vista is not specifically at risk, but I don't know
for a fact. Anyone else know?
SIUC IT Security Officer & Security Engineer