|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: FBI tells the public to call their ISP for help
On Jun 15, 2007, at 11:31 PM, Fergie wrote: - -- Florian Weimer <[email protected]> wrote: At the prior ISOS conference in Redmond, Microsoft made assurances even systems failing Genuine Advantage verification can enable automatic udpates to obtain critical updates. One of the attendees remarked privately this automation works only for English versions of XP. : ( With vulnerabilities created by Microsoft, such as: - cloaking files and processes - cloaking shell script extensions (even when show enabled) - requiring scripts for basic browser functionality - preventing removal of their exploitable browser - Word - .Net - inadequate provisions for temporarily privilege escalation - unfortunate network defaults - reliance upon perimeter security - etc. It seems such negligence might make Micos0ft vulnerable to class actions, especially from ISPs bearing the burnt of related support. With the FBI recommendation, another very deep pocket might be add. The paper provided by Google should give anyone cause. http://www.usenix.org/events/hotbots07/tech/full_papers/provos/ provos.pdf "A popular exploit we encountered takes advantage of a vulnerability in Microsoft’s Data Access Components that allows arbitrary code execution on a user’s computer [6]. The following example illustrates the steps taken by an ad- versary to leverage this vulnerability into remote code exe- cution: • The exploit is delivered to a user’s browser via an iframe on a compromised web page. • The iframe contains Javascript to instantiate an Ac- tiveX object that is not normally safe for scripting. • The Javascript makes an XMLHTTP request to re- trieve an executable. • Adodb.stream is used to write the executable to disk. • A Shell.Application is used to launch the newly written executable." -Doug
|