-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think jerome athias pubbed a working workaround about unloading a
dll but anyway the most evident countermeasure while browsing website
and wich I guess everyone does, it's to use firefox instead of IE :)
Discussion Lists wrote:
Message Got it . . . the mscracks site is still available, so I
have been running my tests from that, and I think I may have a
workaround for anyone who is interested, but I need people to help
me test it. Here's what I did:
First: I created a virtual machine with SP2 installed, AVG Free AV
and updated it. Then I went to the mscracks site. I did this
running as admin on my computer BTW. I noticed as the page came
up, AVG Free alerted me to a bunch of infections. Bad news.
Last: I reverted the virtual machine to the pre-mscracks state
(with SP2, and AVG Free), and updated AVG Free. I then ran some
code that activates Window's SAFER mechanism for Internet Explorer.
I will attach a link at the end of the email for more info. I
confirmed the IE was running with reduced privs, and then opened
MSCracks. AVG Free didn't complain once about infections and such.
To me that means that reducing browser privileges thwarts this
exploit. Can someone else test this for me as well? Anyone
interested in the VBScript code I used for SAFER email me as well.
I will be happy to send it along.
-----Original Message----- *From:* Larry Seltzer
[mailto:larry@larryseltzer.com] *Sent:* Thursday, December 29, 2005
9:07 AM *To:* Discussion Lists; full-disclosure@lists.grok.org.uk
*Subject:* RE: [Full-disclosure] Static Blocking for the WMF
Exploit - over50known variants
Sorry if this was asked before, but how do I know if my machine
has been compromised? I am working on a way to contain any damage
caused by this exploit, and it would be helpful to know for sure
that what I am doing is working or not working.
Unfortunately, I think the test for this is specific to each
variant and not to the WMF vector. IOW, there is no one test.
Larry Seltzer eWEEK.com Security Center Editor
http://security.eweek.com/ <blocked::http://security.eweek.com/>
http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine
larryseltzer@ziffdavis.com
----------------------------------------------------------------------
_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBQ7QiE6+LRXunxpxfAQJVhw//T4dpRgMkFgMFX0o/4SeoICMG+MUcDaq1
+/hIKESLTo2EZ5Lhnkog9hWOwqCQYlNy1EZOBbInUauW44nrXdvGOcBl/5ntRpGe
KqBtHT2amBzoQ8LUJzIgofiQ6atUEw1n40APQhCqrAXI6rR/Vx3r69kBQwG04zez
DvPmy7OfOVt1acqUOg9Ytl3rSGUeoJQStIGRy3obdwqoCTk8YX9ep2zwDQgxQ38+
75DExrHKOPof050XVzHEELToYXM13PgEo4v82+r6qZrW8vl4cq2OBqy9FVTPsvZS
wEr+VF+asAAAilTMNAffA2XrMTzfOm/Zd+b7jzsZS2FiAhH8aeSgDQum5mU18P6v
Wf9wikl/lfyPN/BTb+m8JHBX4lYZv8k4nA9j/0uXgesYTDcotXxLLJtYDZpRONaZ
DF3SVBGLAa1SymtOejOm1WatcIkQ1O349E2DIU4UzIq1mDGom7vvR4MLFJYkULWQ
YkiJ09nRFxUkc/Q1CbEt5+QG8ZvK3XKOjz6/yzFSsv/NIu7Y7xaamglJK52b0zAK
82ILJdSHjRT6iaMQvkskZ/ENDXsfBIvfHTQkyIY4dD1AdJJsz5+YFwox1bmCfrXq
Hk26NaBASC+z30GrwyJJyuynmwP2fRC0Qj/qiKLZgPwTQRuaKBZR3dOSC9Xj7bSB
rRLs89RvQEA=
=Bjr8
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
