[Dailydave] runonce and birds.

Parity pty.err at gmail.com
Sat Mar 31 13:42:48 EDT 2007 

> [2] This was shoddy work. It's just as bad as every bank putting their
> login page on a cleartext connection, as if MITM can't rewrite a form.
>
Okay: You're a hacker trying to position yourself to MITM the maximum number
of IE installations. You might think, hey, the typical IE install spends its
life doing http-without-the-s to MSN, hotmail/gmail, slashdot, myspace,
etc., non-stop, all day long.  In the meantime, it'll visit
runonce.microsoft.com, uh, once.

I guess it wouldn't hurt to make runonce.microsoft.com an https:// link.
Not sure what to do about the whole rest of the interweb, tho.

pty


Does anyone else feel like that? All of the "mitigating factors" on every
> Microsoft advisory say "A user would have to visit a malicious web page".
> And then you have people like Gadi Evron tracking each individual domain
> they think is "hot" and anti-virus companies taking in lists. But that
> runonce page runs in HTTP. Now I can see someone at MS sitting there with
> Fes's threat modeling book going "hmm, it makes an outbound connection", and
> then the project manager, who has some sort of liberal arts degree, going
> "but it only comes here to Microsoft so cleartext is ok". [2]
>
> I'm not going to go into the legitimacy of poisoning Windows DNS with the
> WPAD stuff mentioned this week, or the fact that most ISPs are run by
> hackers who will happily MITM every HTTP connection and shove an ANI exploit
> into www.opinionistas.com or whatever weblog your girlfriend is reading on
> your computer that day as she fantasizes she never got an English degree and
> went into law school. Even without all that, any hacker worth the term can
> hack websites faster than they can be cleaned up.
>
> I watched an AVI of Raven Adler's Shmoocon talk the other day. It was
> completely devoid of content, except at the end, when someone stood up and
> asked her "Why should we trust you to secure the Internet's infrastructure
> if you can't even secure your own laptop?"[1] She responded "0day can happen
> to anyone."
>
> This is true, I guess. The important corollary, is that since there are
> non-public kernel bugs, and non-public client-sides and the ability to shove
> them into every web page visited by almost anyone, that "0day can happen to
> everyone".
>
> Can and _does_. I think I will reinstall that XP box.
>
> FWIW in CANVAS you have this concept of a "post-condition" which is a
> module (or set of modules) that get run after an exploit is successful. So
> for example after the the spooler exploit is run we restart the spooler
> service. I was tempted to make GDIWrite4 a post-condition for the CANVAS ANI
> exploit so that it was a full unpatched path to LOCAL\SYSTEM, but I decided
> against it at the last minute.
>
> The biggest question in the ANI exploit is "Why now?" If an attacker knew
> the average lifespan of an 0day, they could maximize their usage to optimize
> the number of hosts they hit. I'm not sure what this curve would look like
> (Dan Geer would know), but I'd predict you'd see 0day being "wasted" as it
> reaches the end of its predicted usefulness. Perhaps this is what happened
> to ANI.
>
> -dave
>
> [1] This was probably a reference to the events noted here:
> http://www.theregister.co.uk/2006/02/08/apple_vulnerability/ (The unknown
> researcher in this case is assumed to be Raven)


[2] This was shoddy work. It's just as bad as every bank putting their login
> page on a cleartext connection, as if MITM can't rewrite a form. The SDL
> should say "No default outbound non-signed and sealed connections". But it
> doesn't. A while back everyone made a big hubbub over Michael Howard's
> feeling that there should be LESS vulnerabilities in modern Microsoft OS's.
> I got the feeling he was saying "or else we're all fired". XP SP2 is
> essentially in complete collapse. If this happens to Vista, a lot of
> companies might just make the decision to move their data security
> requirements over to hosting on Google-farms...
>
>
> Speaking of Kiwi's, Justine is headed back to Wellington, NZ, for a few
> days for a wedding. She took my SILICA with her, so if you want to get a
> quick demo, spam her an email.

_______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070331/eb9b8049/attachment.htm

More information about the Dailydave mailing list