Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Static Blocking for the WMF Exploit - over50known variants

From: "Discussion Lists" <discussions () lagraphico com>
Date: Thu, 29 Dec 2005 09:16:53 -0800
Got it . . . the mscracks site is still available, so I have been
running my tests from that, and I think I may have a workaround for
anyone who is interested, but I need people to help me test it.  Here's
what I did:
 
First:
I created a virtual machine with SP2 installed, AVG Free AV and updated
it.  Then I went to the mscracks site.  I did this running as admin on
my computer BTW.  I noticed as the page came up, AVG Free alerted me to
a bunch of infections.  Bad news.
 
Last:
I reverted the virtual machine to the pre-mscracks state (with SP2, and
AVG Free), and updated AVG Free.  I then ran some code that activates
Window's SAFER mechanism for Internet Explorer.  I will attach a link at
the end of the email for more info.  I confirmed the IE was running with
reduced privs, and then opened MSCracks.  AVG Free didn't complain once
about infections and such.
 
To me that means that reducing browser privileges thwarts this exploit.
Can someone else test this for me as well?  Anyone interested in the
VBScript code I used for SAFER email me as well.  I will be happy to
send it along.
 
 

        -----Original Message-----
        From: Larry Seltzer [mailto:larry () larryseltzer com] 
        Sent: Thursday, December 29, 2005 9:07 AM
        To: Discussion Lists; full-disclosure () lists grok org uk
        Subject: RE: [Full-disclosure] Static Blocking for the WMF
Exploit - over50known variants
        
        
        >>Sorry if this was asked before, but how do I know if my
machine has been compromised?  I am working on a way to contain any
damage caused by this exploit, and it would be helpful to know for sure
that what I am doing is working or not working.
         
        Unfortunately, I think the test for this is specific to each
variant and not to the WMF vector. IOW, there is no one test. 
         
        Larry Seltzer
        eWEEK.com Security Center Editor
        http://security.eweek.com/ <blocked::http://security.eweek.com/>

        http://blog.ziffdavis.com/seltzer
<http://blog.ziffdavis.com/seltzer> 
        Contributing Editor, PC Magazine
        larryseltzer () ziffdavis com 
         


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: