Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: RE: HijackClick 3
From: "Thor Larholm" <tlarholm () pivx com>
Date: Wed, 14 Jul 2004 18:45:18 -0700

-----Original Message-----
From: http-equiv () excite com [mailto:1 () malware com] 

The codeBase attribute has allowed command execution from the My
Computer zone without interruption since this misfeature was discovered
by Dildog. It was not automatically re-enabled with yesterdays patches
so there must have been some other problem with your systems that has
made it untestable for you during the years.

If you need any easily reproduceable POC for codeBase you can use the
example from GM#001-IE [1]. Put a fresh Windows XP image on VMWare or
VirtualPC, apply all the patches up to June/July 2003 and you will see
that the POC still works. You can even combine codebase with any of the
recent click hijacking vulnerabilities from Paul and you can see that
beneath the new Information Bar in SP2 the same codebase functionality
is present (by the way, that bar is not present in the Intranet or
Trusted Sites zones).


We have by no means been trying to hide the download location of
Qwik-Fix Pro from anyone. We are in the middle of a data center move and
have been readily handing out internal download locations and
instructions, delivering guidance and support to anyone who has
inquired. However, I cannot locate a download request from you in our
support center.

Qwik-Fix Pro is currently in Release Candidate 1 with a planned General
Availability for August. We most certainly appreciate the tremendous
beta feedback we have received over these last months, it has helped us
tremendously. It is not apparent from your post whether you have been
testing the long ago discontinued Qwik-Fix Beta v0.60 or the later
Qwik-Fix Pro, but the description of your problems sounds as if no
changes are even applied to your system. If you could give us more
details about your system (OS, SP level) I would love to reproduce this.

You are not mentioning any of the URL protocol handler lockdowns, MIME
type mitigations or icon handler restrictions that RC1 contains so I am
guestimating that you have been testing an older beta version. Feel very
welcome to request an RC1 download from our site. 

I am also positive that your concerns about the updating logic will be
answered fully once you look at the multiple layers of encryption and
digital signatures based on 2048 bit RSA keys that combined mitigate
against the impact of any imaginable MITM attack - these are all covered
in the complete forensics analysis of Qwik-Fix Pro that will be released
in the near future. We are trying to far exceed the industry
expectations on the level of openness and are eagerly playing cards with
our hands open.

It is encouraging that you have enough faith in Windows XP Service Pack
2 to hint that it will solve all the security issues in Internet
Explorer. I will have to disagree on that sentiment as vulnerabilities
have been discovered that even work on a fully patched XPSP2RC2. Much as
you, I am looking forward to the improvements of the final service pack.


Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
thor () pivx com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]