Procrastination, delivered!

All about waiting for the apple to fall. Add yours – reach.singhsong@gmail.com

Archive for the ‘Bug/Vulnerability’ Category

Microsoft WMF Vulnerability – Patch Conundrum

Posted by hs on January 5, 2006

There has been a slew of patches for the WMF Vulnerability. In addition to the unofficial patch by Ilfak Guilfanov, a as-yet-unfinished Microsoft patch was released online inadvertently.

The vulnerability is very critical in the sense that the user does not need to do anything, except view the image. This can be viewed either in a email or via a browser. Microsoft refused to depart from its monthly patch-release schedule to release an express patch. This gives a cosy 10-day window for the vulnerability to wreck its way worldwide.

Meanwhile Ilfak rose to the occasion and posted an unofficial patch on this website. His site was down earlier due to humongous load (‘half the planet is downloading WMFFIX_HEXBLOG14.exe’), but is back now. The patch has also been mirrored by a number of sites including, GRC.com, Sunbelt Software, Antisource. F-Secure and Internet Storm Center (SANS) recommended that customers use Ilfak’s patches while Microsoft puts its patch together.
Resources

Update: Microsoft has released a patch – it is being automatically applied to machines (Win XP SP2 atleast) with Automatic Updates enabled.

Keywords: WMF, Vulnerability, Microsoft, Ilfak Guilfanov, Patch, WMFFIX_HEXBLOG, WMFFIX_HEXBLOG14, GRC.com, Window, Patch Schedule, F-Secure, Internet Storm Center, SANS, FAQ, Securiteam, Advisory

Advertisements

Posted in Bug/Vulnerability, Computing, Internet | 1 Comment »

Google Desktop tweaked

Posted by hs on December 7, 2005

Google Desktop has now been tweaked as a workaround against the IE CSSXCSS vulnerability.

Keywords: Google Desktop, Bug, Vulnerability, IE, CSS, CSSXCSS, Cross Site Scripting 

Posted in Bug/Vulnerability, Internet | Leave a Comment »

Adblock Flickr Workaround

Posted by hs on December 4, 2005

Recently while posting new pics on Flickr, I noticed that the Organizr was not working properly in Firefox. I double-checked the page in another browser (Netscape 7.2), and it seemed to be working all right. I had more than a hunch that AdBlock might be behind this, as some of the Flash objects in other sites were also not working properly.

Some searching on Flickr Forums led me to this thread. Disabling Obj-Tabs in AdBlock preferences helps. It might break something else, but I am not complaining, at least for now.

Here’s another (a bit unrelated) example of how AdBlock can be used creatively to alleviate problems created by other sites.

Keywords: AdBlock, Flickr, Organizr, Bug, Firefox, Obj-Tabs

Posted in Bug/Vulnerability, Internet | Leave a Comment »

Google Desktop Vulnerability; IE CSS Import Gotcha

Posted by hs on December 3, 2005

Matan Gillon has posted a exploit on vulnerability in Google Desktop v2 while using Internet Explorer. By taking advantage of the CSSXCSS (Cascading Style Sheets Cross Side Scripting) vulnerability in Internet Explorer, a hacker might be able to read data from pages fetched from other sites. If this sounds technical, picture this: you browse to a seeminly normal website (containing say pictures, articles, etc.). Typically one would not think that this website can read the details of the other page you have opened, say your bank account, or the shopping cart with credit card details. The IE vulnerability allows specially crafted pages to do just that.

Read the original article (Google Desktop Exposed: Exploiting an Internet Explorer Vulnerability to Phish User Information) for details. Possible precautionary steps (until this vulnerability is patched) are to disable JavaScript in IE or switch to a better browser (Firefox, Opera, etc.).

The proof of concept exploit is available here.

Get Firefox

Keywords: CSSXCSS, CSS, Google Desktop, Internet Explorer, IE, JavaScript, Cross Site Scripting, Vulnerability, Cross-site scripting, GDS, Exploit, Proof of concept, Firefox, Opera

Posted in Bug/Vulnerability, Internet | 1 Comment »