Re: Static Blocking for the WMF Exploit - over50known variants

["ad () heapoverflow com" <ad () heapoverflow com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I think jerome athias pubbed a working workaround about unloading a
dll but anyway the most evident countermeasure while browsing website
and wich I guess everyone does, it's to use firefox instead of IE :)

Discussion Lists wrote:
> Message Got it . . . the mscracks site is still available, so I
> have been running my tests from that, and I think I may have a
> workaround for anyone who is interested, but I need people to help
> me test it. Here's what I did:
>
> First: I created a virtual machine with SP2 installed, AVG Free AV
> and updated it.  Then I went to the mscracks site.  I did this
> running as admin on my computer BTW.  I noticed as the page came
> up, AVG Free alerted me to a bunch of infections.  Bad news.
>
> Last: I reverted the virtual machine to the pre-mscracks state
> (with SP2, and AVG Free), and updated AVG Free.  I then ran some
> code that activates Window's SAFER mechanism for Internet Explorer.
> I will attach a link at the end of the email for more info.  I
> confirmed the IE was running with reduced privs, and then opened
> MSCracks. AVG Free didn't complain once about infections and such.
>
> To me that means that reducing browser privileges thwarts this
> exploit.  Can someone else test this for me as well?  Anyone
> interested in the VBScript code I used for SAFER email me as well.
>  I will be happy to send it along.
>
>
>
> -----Original Message----- *From:* Larry Seltzer
> [mailto:larry () larryseltzer com] *Sent:* Thursday, December 29, 2005
> 9:07 AM *To:* Discussion Lists; full-disclosure () lists grok org uk
> *Subject:* RE: [Full-disclosure] Static Blocking for the WMF
> Exploit - over50known variants
>
> > > Sorry if this was asked before, but how do I know if my machine
> has been compromised?  I am working on a way to contain any damage
> caused by this exploit, and it would be helpful to know for sure
> that what I am doing is working or not working.
>
> Unfortunately, I think the test for this is specific to each
> variant and not to the WMF vector. IOW, there is no one test.
>
> Larry Seltzer eWEEK.com Security Center Editor
> http://security.eweek.com/ <blocked::http://security.eweek.com/>
> http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine
> larryseltzer () ziffdavis com
>
>
>
> ----------------------------------------------------------------------
>
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7QiE6+LRXunxpxfAQJVhw//T4dpRgMkFgMFX0o/4SeoICMG+MUcDaq1
+/hIKESLTo2EZ5Lhnkog9hWOwqCQYlNy1EZOBbInUauW44nrXdvGOcBl/5ntRpGe
KqBtHT2amBzoQ8LUJzIgofiQ6atUEw1n40APQhCqrAXI6rR/Vx3r69kBQwG04zez
DvPmy7OfOVt1acqUOg9Ytl3rSGUeoJQStIGRy3obdwqoCTk8YX9ep2zwDQgxQ38+
75DExrHKOPof050XVzHEELToYXM13PgEo4v82+r6qZrW8vl4cq2OBqy9FVTPsvZS
wEr+VF+asAAAilTMNAffA2XrMTzfOm/Zd+b7jzsZS2FiAhH8aeSgDQum5mU18P6v
Wf9wikl/lfyPN/BTb+m8JHBX4lYZv8k4nA9j/0uXgesYTDcotXxLLJtYDZpRONaZ
DF3SVBGLAa1SymtOejOm1WatcIkQ1O349E2DIU4UzIq1mDGom7vvR4MLFJYkULWQ
YkiJ09nRFxUkc/Q1CbEt5+QG8ZvK3XKOjz6/yzFSsv/NIu7Y7xaamglJK52b0zAK
82ILJdSHjRT6iaMQvkskZ/ENDXsfBIvfHTQkyIY4dD1AdJJsz5+YFwox1bmCfrXq
Hk26NaBASC+z30GrwyJJyuynmwP2fRC0Qj/qiKLZgPwTQRuaKBZR3dOSC9Xj7bSB
rRLs89RvQEA=
=Bjr8
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/