Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [FDSA] Notepad Highly Critical Cross-Site Scripting (XSS) Vulnerability
From: "worried security" <worriedsecurity () googlemail com>
Date: Thu, 17 Jan 2008 21:19:18 +0000

On Jan 17, 2008 6:40 PM, str0ke <str0ke () milw0rm com> wrote:
Fredrick Diggle wrote:
#######################################################################

=======
3) Proof of Concept
=======

1. Open Notepad
2. Enter the following text
<script>alert("xss");</script>
3. Save file as "exploit.html"
4. double click the payload file

#######################################################################

lmfao.

should we release the real exploit now? ok, there isn't one but there
should be. good day for paranoids... i'll keep my eye on the milw0rm
mailing list just incase.

i guess we should just pass this off as a "funny" and not take the
jack bauer federal attitude.

the problem with these "funnies" is what was originally a "funny" can
turn into a real security event because the tip off gets hackers
looking at notepad and it can often uncover a vulnerability.

not directly related to the "funny" post on full-disclosure but
indirectly because it gets peoples taste buds and mind thought
processes rolled into notepad exploitation mode.

so while folks think the suggestion of watching out for notepad
vulnerabilities in the next 48 hours etc may also seem like a "funny"
it could in reality turn out to be an investment paid off.

we should just hope its a "security researcher" who hits on notepad
and not an "exploit hacker".

i can see something like this get put into the "multi exploit attack
of trusted sites" attack vector thats doing the rounds according to
recent media reports.

so while this is for the most part a "funny" and a "lmfao" it could
actually trigger off a real life scenario that we should all be
watching out for.

valdis will back me up on this one because he like me we share the
same mind thought continual on matters of the cyber security agenda
threat risk analysis of inbound attacks and mailing list reports
inaccurate or otherwise real.

speculation is a healthy part of deciding who is a moron and who
isn't, keep up the good work Fredrick Diggle or something.

do you know the big boys are on the list, jack bauer is not impressed
but has written up a report to log the incident incase of exploit runs
appear or/and disclosures released in the near future under another
name where multiple hosts get compromised.

he'll be able to link back to this "funny" and point blame towards the
"Fredrick Diggle" and ask for a subpoena to get your network
connection data from your internet service provider to send the big
boys over to have a word over your possible connections with a notepad
virus/worm outbreak.

moral of the story, you shouldn't do these things because you can end
up getting into trouble even if your not to blame, because remember
there are a lot of folks in jail who haven't actually commited a cyber
crime, but as long as the government provide information in a
carefully crafted way to the jury then its a 50/50 chance you could
get jailed even through a false positive.

this list used to be a kid about but increasingly there is a sense of
zero tolerance hitting the air on full-disclosure as hacking takes a
turn for the worst in 2008 as cyber terrorism on control systems
becomes a real and immediate possibility in 2008.

the feds are considering now weather to bring in laws to protect
full-disclosure from attacks, and false positive reporting by aliases,
where a takeover of the list, flooding of the list, continuous posting
of spam and useless information will be seen as a criminal offence and
chargable under the telephony communications act.

full-disclosure is now going to be reclassifed as critical
infrastructure as a key site of importance which is seen as a
terrorist target, so will be protected under the weight of the law.

thats not all, the full-disclosure list in the wake of the new cyber
terrorism threat is readying to reclassify security researchers as
cyber terrorist suspects and lists like this one will be seen as a key
front line on the war on cyber terror.

so, before you hit send on full-disclosure think about it the next time.

there are all sorts of changes being made so posts like this one will
be seen as "wasting police time" and "disrupting critical
infrastucture of national importance"

so these days of play arounds are finally coming to an end and we
should be more careful before using full-disclosure as a way to get
attention towards a cyber threat that doesn't even exist (yet).

this is an international mailing list we shouldn't have people dancing
around on it making funny posts when there is national secuirty at
stake.

i'm going to write more on this later on, on the n3td3v mailing list
to save people having to read my further rants on these matters, but
its a very serious subject that needs to be looked at, which i hope
the government will look at as well. let's criminalize posts like fake
security advisories. i think we should, let's do it!

this is a grey area of the disruption of communications... it needs to
be better clarified so Fredrick Diggle's of the world know the line
not to cross and so the feds have powers to fine / or jail people who
are purposely wasting police time.

essentially, full-disclosure is reporting things to the police and it
should be seen as such and not just "another hacker channel" to play
around on.

the biggest agencies of the land are on full-disclosure for one
purpose, let's make things official so everyone knows where we stand.

full-disclosure is no longer just a mailing list, it should be taken
under full government control and the rules should be publically set
out.

this isn't about showing off anymore, there are media reports that
hacking can shut down powers stations and other shit, so i think
everyone including me (n3td3v) should stop posting on full-disclosure,
including gadi evron whose posts are increasingly "unuseful" should
stop posting, because national cyber security folks are getting
frustrated, and you could be stopping or delaying a real cyber
terrorism threat getting sent to the list.

those with vested ego boosting posts and self promotion,
full-disclosure is no longer for you, leave now, leave! i'm leaving,
leave with me and leave the list for serious counter terrorism
operations and let the feds get on with their work.

full-disclosure is a crime scene, let's only have the criminals in it
not the joke artists.

i'm all for the department of homeland security putting their logos on
the full-disclosure info page to scare the kiddiots away.

full-disclosure looks too netural, they just don't realise the big
boys are sitting on here and exactly the role this list plays in the
fight against cyber crime and cyber terrorism.

i guess bringing in new laws is the only way we can make them listen.
uk is already banning security tools, united states is sure to follow.

the scene is evolving in its nature, there are real dangers now, its
not jsut about crashing 56k modems anymore, there is real economic and
public saftey issues around for the feds to get to grips with and
these fake security advisories are extremely unhelpful and counter
productive.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault