Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: How big is the danger of IE?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 09 Jul 2004 14:55:25 +1200

"Larry Seltzer" <larry () larryseltzer com> wrote:

...the security zone model itself (well, at least its
implementation in IE, etc) _is the problem_ and can often be
exploited independent of the scritping, and other active content
processing, state of the zone in which some arbitrary piece of HTML
is rendered. 

So you can do a cross-zone attack against the restricted zone, with
all scripting and active content disabled? I'd like to see an example
of this. 

It's precisely that kind of attitude that perpetuates two really 
insidious influences in the "security community".

First, it drives many vulnerability discoverers to feel they "must" 
publish PoC code (which is ever more quickly turned into active 
exploits against the vulnerability, increasing the harm wrought by each 
such publicly disclosed vulnerability).

Second, it leaves ignorant folk unduly smug in their belief that they 
are safe "because I have not seen it with my own eyes".

It is often said that "security is a process" but that process has to 
be driven by an understanding of the possible, which will always be at 
least partly a theoretical endeavour.  People have often said much the 
same as you just did about various reputedly "very difficult to exploit 
vulnerabilities" (well, it said so in the belated MS security bulletin, 
so it had to be true, right?), but all manner of HTML content is 
minimally "active' in the sense that the interpreter can be induced to 
fail in interesting ways or in that alternate or additional content is 
obtained through some form of redirection, and such things are often 
the basis of many previous, successful exploits of those "very 
difficult to exploit" IE (and many other) vulnerabilities.

So, will you be smug (and lazy) with Larry or safer moving to Mozilla?

I know where I put my money...


The "bigger picture" perspective...

Do you guys really think that folk like Guninski, Jelmer, http-equiv, 
Lie Diu (sp? -- sorry) etc rush their newest discoveries out as quickly 
as they find them?  OK, so sometimes they do, but often they have 
niggly "little" tricks that they feel aren't worth much alone, but 
which they store away until such a time that they are just the right 
new twist to beat the latest hackneyed and incomplete "fix" from MS or 
whoever.  We have seen evidence of this time and again -- within the 
last couple of weeks even.  How many of those undisclosed tricks that 
can become show-stoppers when the right environment for using them is 
eventually found do you suppose those guys know of?  Based on the 
general bugginess of software and the relative seriousness weightings 
of bugs in general I'd hazard its quite possibly in the range of two to 
three for every one they release...

So, are you really so sure that it is worth waiting for MS to ship the 
fix for this latest abject failure of the zone chooser?  How sure are 
you that someone won't release a new exploit that walks through, over 
or around that sparkly next patch, probably within minutes to hours of 
the patch's release?  And, even if you accept there is a modest 
probability of that happening, how long do you have to live like that 
before deciding that sidestepping most of these problems really is a 
better alternative?  A few months?  A few years?

Both those timeframes have expired...

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]