Monday, November 06, 2006

Watch out for JPGs now

Hi folks,

This has been an exceptionally busy weekend. First, ISS has alerted on a new IE 0-day, and then we separately discovered a new script that re-packages some existing exploits, the newest of which is SetSlice.

The ISS discovery is explained here ... http://xforce.iss.net/xforce/alerts/id/239 . It does not appear to work reliably at this point, but is an interesting discovery and interesting concept. We've added sigs for it and will keep watching for developments. Kudos to ISS for finding it.

Our discovery is also quite interesting in that the Bad Guys are referencing what appears to be a simple jpg, for example ...

h t t p :// www.SomeThingOrOther/img16349.jpg , and in fact, you do see a harmless picture, but they've prepended the html with an obfuscated jscript, which launches exploits at you. I'm sure, by the way, that this has always been possible, but I've never noticed it used quite this way before.

Unlike the normal iframer and trimode launchers, this one tries to be selective about what exploits it throws, based on the OS and patch level. The most recent exploit is SetSlice, which was patched in October, so if you are running SocketShield and you are patched, you have little to worry about.

Roger

0 Comments:

Post a Comment

<< Home