THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
From: <liudieyu@xxxxxxxxxxxxx>
Date: Sat, 3 Jul 2004 01:28:26 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


FROM: Liu Die Yu - http://umbrella.name/
TO  : bugtraq@xxxxxxxxxxxxxxxxx, NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx,
full-disclosure@xxxxxxxxxxxxxxxx
SUBJ: THE INSIDER VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
DATE: 2004/07/03 UTC+800
BODY:

[background]
the latest 0day remote compromise exploit for internet explorer was found
being used in the wild. :-)

"the-insider" exploit was first noticed by the-insider:
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclosure_message-2004060050
and then documented by jelmer:
http://umbrella.name/iebug.com/display-singlemessage.php?readmsg:fulldisclosure_message-2004060124
http://62.131.86.111/analysis.htm 

microsoft just released:
Critical Update for Microsoft Data Access Components - Disable ADODB.Stream
object from Internet Explorer (KB870669)
http://www.microsoft.com/downloads/details.aspx?FamilyID=4D056748-C538-46F6-B7C8-2FBFD0D237E3&DisplayLang=en
which kills the old exploit.

[FIX FOR THE PATCH]
use Shell.Application instead.

[service]
both "attack service"(finding bugs) and "defense service"(securing systems):
http://umbrella.name/

[greetings]
malware( http://www.malware.com/ ) who found Shell.Application.

[signature]
LIUDIEYU
liudieyu AT umbrella . name

Follow-Ups:
- RE: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
  - From: Jelmer

Prev by Date: Public Review of OIS Security Vulnerability Reporting and Response Guidelines
Next by Date: RE: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
Previous by thread: Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines
Next by thread: RE: [Full-Disclosure] THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH
Index(es):
- Date
- Thread