Re: [Full-disclosure] Yet another 0day for IE (Disabling Javascript no longer a fix)

[Nick FitzGerald <nick () virus-l demon co uk>]

Bill Stout wrote:

> http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
> ing.html 
> "This exploit can be mitigated by turning off Javascripting. 
>
> Update: Turning off Javascripting is no longer a valid mitigation.  ...

Well, to pick a nit, the Sunbelt blog entry is correct -- the specific 
exploit they were talking about does requires scripting.

What you are referring to is that the suggested workaround to block 
that _exploit_ does not mitigate the _vulnerability_ that that same 
exploit takes advantage of, and you are correct.  The vulnerability can 
be (and has been since, both in PoC and in the wild IIRC) exploited 
with plain (??) "VML HTML" -- that is, without using scripting.

> ...   A
> valid mitigation is unregistering the VML dll. "

Much as a valid mitigation for a snake bite mid-calf is (swift) 
amputation below the knee...   8-)

If you'd like to keep using your lower leg -- I mean, VML in IE and 
other apps -- you might consider the third-party, unsupported, use-at-
your-own-risk ZERT patch, which mitigates the vulnerability while 
leaving VML functionality available:

   http://isotf.org/zert/

Seriously though, if we were all a little more careful about our use of 
terminology, this should all have been rather clear from the start.


Regards,

Nick FitzGerald