Liu Die YuさんによるIEの脆弱性
本家のUnpatched Internet Explorer Bugsにはまだ上がってないようだが。ヽRノ日記にも情報あり。
・New "Clean" IE Remote Compromise
By combining several vulnerabilities in Internet Explorer, an attacker can execute his EXE file on victim's system.
・MHTML Redirection Leads to Downloading EXE and Executing
A vulnerability in Internet Explorer is found: any attacker that can reach MYCOMPUTER security zone(a.k.a local zone) is able to download his EXE file and execute it.
・BackToFramedJpu - a successor of BackToJpu attack
A cross-zone scripting vulnerability has been found in Internet Explorer. If a webpage contains some subframe(either FRAME tag or IFRAME tag), its security zone may be compromised.
・HijackClickV2 - a successor of HijackClick attack
After applying MS03-048, the original HijackClick exploit doesn't work any more.With method caching(a.k.a "SaveRef"), HijackClick works again.
・Invalid ContentType may disclose cache directory
The problem lies in the download function of Internet Explorer. This can be exploited by malicious web pages to get cache directory including random names.
- 1st, online demo, powered by ASP:http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo
- 2nd, demo in ZIP format, powered by NETCAT:http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo.zip
・Cache Disclosure Leads to MYCOMPUTER Zone and Remote Compromise
By combining cache file disclosure and several other unpatched vulnerabilties, an malicious INTERNET page can reach MYCOMPUTER zone. The demo uses Adodb.Stream to launch a remote compromise attack.
- demos:Online demo, powered by ASP:http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/LocalZoneInCache-Demo/index.html (runs harmless demonstration executable)
・IE Remote Compromise by Getting Cache Location
With the help of LocalZoneInCache(refer to "[technical details]" part), an attacker can compromise a user's system even though the user has:
1. Customized IE cache directory,
2. Applied MS03-048 patch,
3. Set killbit for ADODB.STREAM ActiveX.
- online demo, powered by ASP:http://www.safecenter.net/UMBRELLAWEBV4/execdror6/execdror6-Demo/index.html (runs harmless demonstration executable)
追記:つまるところ、ダメダメだということだ。