Re: Apple IOS security issue pre-advisory record

[rackow () anl gov]

> > From: john doe <ninjaobsessed () gmail com>
> > Subject: [Full-disclosure] Apple IOS security issue pre-advisory record
> >
> > Advisory Disclosure MD5: e29e5501dc2ca4d5fc06855762b14393
> > Abstract <http://tinyurl.com/8xq2xcq>

There are so many things wrong with this that the 300 should have
been concerned about the possibility of a spoof or worse.  You'd think
it would slow things down to some degree.  Still was it really 300?

The person behind this doesn't KNOW that 300 people clicked.  All
they have is that their site got that many hits.  Some details
could be pulled out of those clicks, but the results could easily
be skewed.  Of the 300, could you tell what caused, in this
case the "vote".   I'm NOT saying that 300 people didn't click,
just there should be lots of concerns about what that really means.

Of the 300 that clicked, how many or few were done using IE from an
account with admin privs vs how many with firefox and
no-script/no-flash/adblock enabled?  How many via wget or curl?
This would be much more interesting that just 300 people
having "clicked".    Just because someone "clicked" does not
mean that anything was executed.  Even if it was executed, did
it happen from something vulnerable or was it something
downloading to see what was at the other end? Finally if
it ran, did it live long enough to do "damage" or run on
something where interesting data was even possible?

For example, part of my job entails checking out questionable email
for my user community.  Sometimes it's benign.  Sometimes it's a
a phishing malware.  To make life easier in testing this, I've
created a few scripts that I can just drop a link into and get
the results.    The script has the capability to distribute the
job to several different machines and pull down the data.
It does several tests on the page.  To a server, it could look like
it was coming from a XP, W7, MacOS, or several linux platforms.
The script makes very good use of test and burn virtual machines.
(copy the base vm image, run the test, get results, purge the running
image)  Depending on options, it could appear as 1 person clicking
or many more from different machines and nets.

Let's not forget there are others on the test security lists this
message was sent to that probably fall into the testing set as
well for some of the various appliance (barracuda, ironport)
or software (Antivirus/malware/phishing, clamav, avg, postini)
vendors.  No idea on how many or what anyone has done with
testing the link provided.

--Gene

/~\ The ASCII         Gene Rackow               email: rackow () anl gov
\ / Ribbon Campaign   Cyber Security Office     voice: 630-252-7126
 X  Against HTML      Argonne National Lab      
/ \ Email!            9700 S. Cass Ave. / Argonne, IL  60439

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/