Full Disclosure: Re: Fwd: verizon vs m$

["Thor (Hammer of God)" <thor () hammerofgod com>]

Yeah, I didn't mean to suggest that you were personally backing up that statement - the point being danced over in the 
paper is the "just create a web server in protected mode sourced from the Internet."  It's analogous to "just break 
into someone's house and find the Brinks cellular-based alarm control unit and you can do a faraday wrap to prevent the 
signal from going out."

I guess the real question is "why do I care what these people think."  You would think that after all the stupid 
security tricks I've seen discussed in this industry that I would have better learned to covert the ignorance to the 
ignored.   One last note (to the list) - I got an email somewhat critical of Dan (the author of the article) and want 
to make sure it is understood that I'm not claiming that HE came up with a deceptive title - that's something the 
editors of El Reg do.  I've had many an article originally written for Security Focus have its title changed when 
shared at the Reg.  One of note was an article changed to a title of "Users Should Get a Freaking Clue" which I never 
said - it does, however, drive ad clicks.

t


From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Ven Ted
Sent: Monday, December 06, 2010 12:33 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Fwd: verizon vs m$


---------- Forwarded message ----------
From: Ven Ted <v3nt3d () googlemail com<mailto:v3nt3d () googlemail com>>
Date: Mon, Dec 6, 2010 at 8:31 PM
Subject: Re: [Full-disclosure] verizon vs m$
To: John Lightfoot <jlightfoot () gmail com<mailto:jlightfoot () gmail com>>

"the payload can create a web server listening on any port on the loopback interface, even as a limited user at low 
integrity"

I'm only going from what the paper says - but that indicates to me that you create a web server from protected mode, 
creating an intranet server that didn't previously exist, so you're not pwning anyones intranet, and you don't need to 
already be running as a medium integrity process to serve the malicious intranet page.

On Mon, Dec 6, 2010 at 8:27 PM, John Lightfoot <jlightfoot () gmail com<mailto:jlightfoot () gmail com>> wrote:

<snip>

Once the initial remote exploit has been used to execute arbitrary code

</snip>



I think Thor's point is if your Intranet is pwned such that it's hosting remote exploits, you're already screwed.



It's a configuration issue, anyway, so it's easy enough to mitigate against.  My question is why did MS choose to 
disable Protected Mode by default in the Local Internet Zone?  I've only run across one application that won't run in 
Protected Mode, it seems like it should be on by default for all zones.




On Mon, Dec 6, 2010 at 1:49 AM, Thor (Hammer of God) <thor () hammerofgod com<mailto:thor () hammerofgod com>> wrote:
I don't understand how Dan arrived at "Researchers bypass Internet Explorer Protected Mode" for the article title.  
Protected Mode isn't being bypassed at all - the "researchers that figured out a reliable way to bypass the measure" 
apparently just noticed that Protected Mode is disabled by default in the Local Intranet Zone.

Is this something you are concerned about?  This would obviously only be exploitable by accessing sites on one's own 
intranet by specifically using intranet nomenclature (and trusted sites, but the user has to add those).  Also, the 
article (or the researchers) are incorrect about the default settings for the Intranet zone - it's Medium-low, not 
Medium.   If the problem one is trying to fix is based on attackers compromising intranet sites and then posting code 
for unpatched vulnerabilities that would still end up only running in the user context, then you've got much bigger 
problems, no?

I'm just wondering why you are brining attention to the article, or really, why it was written in the first place.

t

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk<mailto:full-disclosure-bounces () lists grok org uk> 
[mailto:full-disclosure-bounces () lists grok org uk<mailto:full-disclosure-bounces () lists grok org uk>] On Behalf Of 
Georgi Guninski
Sent: Sunday, December 05, 2010 1:26 PM
To: full-disclosure () lists grok org uk<mailto:full-disclosure () lists grok org uk>
Subject: [Full-disclosure] verizon vs m$

in a world like this, verizon kills exploder bugs:

http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/
http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf

the language doesn't seem passionate:
-----
Finally, Microsoft and other software vendors should clearly document which features do and do not have associated 
security claims. Clearly stating which features make security claims, and which do not, will allow informed decisions 
to be made on IT security issues.
-----

lol

--
joro

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/