Full Disclosure mailing list archives
RE: Static Blocking for the WMF Exploit - over50known variants
From: "Discussion Lists" <discussions () lagraphico com>
Date: Thu, 29 Dec 2005 09:16:53 -0800
Got it . . . the mscracks site is still available, so I have been running my tests from that, and I think I may have a workaround for anyone who is interested, but I need people to help me test it. Here's what I did: First: I created a virtual machine with SP2 installed, AVG Free AV and updated it. Then I went to the mscracks site. I did this running as admin on my computer BTW. I noticed as the page came up, AVG Free alerted me to a bunch of infections. Bad news. Last: I reverted the virtual machine to the pre-mscracks state (with SP2, and AVG Free), and updated AVG Free. I then ran some code that activates Window's SAFER mechanism for Internet Explorer. I will attach a link at the end of the email for more info. I confirmed the IE was running with reduced privs, and then opened MSCracks. AVG Free didn't complain once about infections and such. To me that means that reducing browser privileges thwarts this exploit. Can someone else test this for me as well? Anyone interested in the VBScript code I used for SAFER email me as well. I will be happy to send it along. -----Original Message----- From: Larry Seltzer [mailto:larry () larryseltzer com] Sent: Thursday, December 29, 2005 9:07 AM To: Discussion Lists; full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] Static Blocking for the WMF Exploit - over50known variants >>Sorry if this was asked before, but how do I know if my machine has been compromised? I am working on a way to contain any damage caused by this exploit, and it would be helpful to know for sure that what I am doing is working or not working. Unfortunately, I think the test for this is specific to each variant and not to the WMF vector. IOW, there is no one test. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ <blocked::http://security.eweek.com/> http://blog.ziffdavis.com/seltzer <http://blog.ziffdavis.com/seltzer> Contributing Editor, PC Magazine larryseltzer () ziffdavis com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Static Blocking for the WMF Exploit - over50known variants Discussion Lists (Dec 29)
- Re: Static Blocking for the WMF Exploit - over50known variants ad () heapoverflow com (Dec 29)