RE: IE bookmark 'clever' feature not so clever after all

From: Petruzel, Oliver (OliverPat_private)
Date: Thu Aug 16 2001 - 06:35:57 PDT

  • Next message: kantat_private: "Re: Assembler Help"

     
    > Exploiting this would be a "social engineering" exploit, not a bug.
    > I guess the more integrated we get the harder it will be to 
    > prevent this
    > kind of social exploit.
    
    
    that is simply not accurate.  This exploit can harm IE users remotely
    through javascript coding. plain and simple.  If anything, it's a
    combination social/logical exploit.
    
    One of the most popular, yet subtle, methods of exploitation is malicious
    web content.  the key is simply drawing the viewers to the location.  The
    rest is handled silently by M$ software. (in most cases - setting internet
    zone sec to high might prevent this or make it much more
    difficult/detectable).  This could also take place through the wonderful
    IE/Outlook relationships, and even more so perhaps in XP.  A malicious email
    can be sent that once viewed simply says "hi", while in the background, the
    scripting is placing or replacing bookmarks... or:
    
    examples: 
    1) searched and replaced bookmark for yahoo.com or google.com.  they are
    replaced with commands such as rdisk or perhaps something else with
    user-level priv instead.  the next time the user wishes to search, they are
    confused and hacked (cracked.. whatever).  this is not a social engineered
    exploit, it's a logical one.
    
    2) links in email or web content which say one thing such as "you have a new
    greeting card at www.sweethearts.com", which point to a malicious site
    instead (Favorites change has occurred), which the attacker has crafted to
    error out (yet running malicious script quietly in the background) then
    redirects to the real site.  This is YOUR combo of social/logical.
    
    3) and just to bring up my favorite subject again, add Raw Socket priv's for
    all users to this equation...you do the math.  the possibilities then become
    endless!
    
    but as u may see, it's not purely social, and can be prevented simply by
    disallowing remote priv to "Favorites" defining.
    M$ all too often gives us these wonderful "features" that backfire.  I wish
    they would just K.I.S.S. 
    
    -oliver p.
    



    This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 08:06:57 PDT