Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] Static Blocking for the WMF Exploit - over50known

from [Discussion Lists] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] Static Blocking for the WMF Exploit - over50known variants
Date: Thu, 29 Dec 2005 09:16:53 -0800 
Got it . . . the mscracks site is still available, so I have been
running my tests from that, and I think I may have a workaround for
anyone who is interested, but I need people to help me test it.  Here's
what I did:
 
First:
I created a virtual machine with SP2 installed, AVG Free AV and updated
it.  Then I went to the mscracks site.  I did this running as admin on
my computer BTW.  I noticed as the page came up, AVG Free alerted me to
a bunch of infections.  Bad news.
 
Last:
I reverted the virtual machine to the pre-mscracks state (with SP2, and
AVG Free), and updated AVG Free.  I then ran some code that activates
Window's SAFER mechanism for Internet Explorer.  I will attach a link at
the end of the email for more info.  I confirmed the IE was running with
reduced privs, and then opened MSCracks.  AVG Free didn't complain once
about infections and such.
 
To me that means that reducing browser privileges thwarts this exploit.
Can someone else test this for me as well?  Anyone interested in the
VBScript code I used for SAFER email me as well.  I will be happy to
send it along.
 
 

        -----Original Message-----
        From: Larry Seltzer [mailto:larry@larryseltzer.com] 
        Sent: Thursday, December 29, 2005 9:07 AM
        To: Discussion Lists; full-disclosure@lists.grok.org.uk
        Subject: RE: [Full-disclosure] Static Blocking for the WMF
Exploit - over50known variants
        
        
        >>Sorry if this was asked before, but how do I know if my
machine has been compromised?  I am working on a way to contain any
damage caused by this exploit, and it would be helpful to know for sure
that what I am doing is working or not working.
         
        Unfortunately, I think the test for this is specific to each
variant and not to the WMF vector. IOW, there is no one test. 
         
        Larry Seltzer
        eWEEK.com Security Center Editor
        http://security.eweek.com/ <blocked::http://security.eweek.com/>

        http://blog.ziffdavis.com/seltzer
<http://blog.ziffdavis.com/seltzer> 
        Contributing Editor, PC Magazine
        larryseltzer@ziffdavis.com 
         


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-disclosure] Static Blocking for the WMF Exploit - over 50known variants, Discussion Lists
Next by Date:  Re: [Full-disclosure] Static Blocking for the WMF Exploit - over50known variants, ad@heapoverflow.com
Previous by Thread:  RE: [Full-disclosure] Static Blocking for the WMF Exploit - over 50known variants, Discussion Lists
Next by Thread:  Re: [Full-disclosure] Static Blocking for the WMF Exploit - over50known variants, ad@heapoverflow.com
Indexes:  [Date] [Thread] [Top] [All Lists]