Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]

To: Gadi Evron <ge@xxxxxxxxxxxx>
Subject: Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
Date: Mon, 25 Sep 2006 09:54:25 -0700
Cc: Bill Stout <bill.stout@xxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, botnets@xxxxxxxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Hu/mSCUY/DVcScfsm4bE3bmFnUtQyqVCP4ETG2cCRUvjAq5sO1OiMe2pw9zXe8cg+lCjet6+95IZKjK58nLYWxbV+ctpqSsND7siR5J9RGI2Kgh08+h44qtwar7oobPadniCSua/AonrbAeF3NHOLliI+DrJplNvvlt3yCUGCBI= ;
In-reply-to: <Pine.LNX.4.21.0609241341011.23961-100000@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.21.0609241341011.23961-100000@xxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

Jesper's Blog : More options on protecting against recent IEvulnerabilities on a domain:

http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx

I like that option better. Leaves me supported and honestly I've notseen anything that I'm running that's used VML or freaked since I'vedone that?


Gadi Evron wrote:

On Sun, 24 Sep 2006, Bill Stout wrote:

http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be

ing.html"This exploit can be mitigated by turning off Javascripting.

Update: Turning off Javascripting is no longer a valid mitigation. A
valid mitigation is unregistering the VML dll. "


There is, of course, the ZERT (Zeroday Emergency Response Team) patch,
available to those who choose to use it.
Along with source code, testing methodology, etc.

Naturally a vendor patch is BETTER, this is merely an alternative that can
be used, right now, by those who choose to do so.

http://www.eweek.com/article2/0,1895,2019162,00.asp
http://isotf.org/zert/

Richard wrote an interesting blog entry on it:
http://taosecurity.blogspot.com/2006/09/zert-evolution.html

Bill Stout


        Gadi.

--

Letting your vendors set your risk analysis these days?http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

Follow-Ups:
- Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]
  - From: Bojan Zdrnja
- Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]
  - From: Gadi Evron

References:
- ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]
  - From: Gadi Evron

Prev by Date: wwwthreads <= 5.4.2 croos site script vulnerbilities
Next by Date: [ MDKSA-2006:169 ] - Updated Thunderbird packages fix multiple vulnerabilities
Previous by thread: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]
Next by thread: Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]
Index(es):
- Date
- Thread