{QUOTE-> Admin Note: Before you click any of the exploit links below, be aware that these are direct links to real exploit demonstrations. Some of these exploits might crash your browser, at the least, and if you run on an unstable system, they might crash your system.

Some exploit demonstration links are not for the faint of heart!! However, we'll leave them here since this is a security site after all, and they are proceeded with this bold warning to let the user beware.
- LowWaterMark <-QUOTE}
Poll Question:

{QUOTE-> Test Your Browser and 2ndary defenses. Just click on each numbered hyperlink exploit example below to test your Browser and alternative defenses, take the poll.

See voting instructions in message area 2 (next post) below.

If you use Proxomitron, Privoxy, or other software which defeats the exploit, post a reply stating how you defeated the exploit along with filters or other info. <-QUOTE}

All Browser makes & models are welcome. Put up all your defenses!

Hyperlink Poll speed = use your middle mouse button to click on each exploit example hyperlink if it is configured to open link in background, you will fly thru these tests. Right mouse click on hyperlink can achieve same result. Just remember to look at each result.

Exploit Examples as of 4/3/04 = 30 Total + a Browser Security Test (order = most recent or most challenging exploit first)

Alpha Exploits added after 4/3/04 = A-Z

______________________________

start Alpha Exploits:

Alpha exploit example A - IE Popup.show Mouse Event Hijacking exploit (http://freehost07.websamba.com/greyhats/hijackclick3.htm)

Alpha exploit example B - Mouseover exploit (http://www.geocities.com/xfuctxupx)

Alpha exploit example C.1 - IE JavaScript Desktop Spoofing exploit (http://www.guninski.com/bsod1.html)

Alpha exploit example C.2 - IE JavaScript Desktop downloading Spoofing exploit (http://freehost07.websamba.com/greyhats/dlwinspoof.htm)

Alpha exploit example D - Browser Popup tests (http://www.kephyr.com/popupkillertest/test/index.html)

Alpha exploit example E - IE Drag and Drop Vulnerability (http://freehost07.websamba.com/greyhats/longnamevuln.htm) <== proof of concept

Alpha exploit example F - IE Malformed IFRAME Remote Buffer Overflow Vulnerability (http://felinemenace.org/~nd/crash_ie/2446.html)

********* End Alpha Exploits *********

Start 30+ Poll Exploits:

Actual exploit example #1 JS.Exception.Exploit lockdowncorp (http://www.lockdowncorp.com/bots/now/nowtestyourbrowser.html)

Actual exploit example #2 privacy.net test (http://privacy.net/analyze/)

Actual exploit example #3 NetBios MAC address lockdowncorp (http://stealthtests.lockdowncorp.com/cgi-bin/macaddress)

Actual exploit example #4 PC Flank stealth test (http://www.pcflank.com/scanner1s.htm)

Actual exploit example #5 DoS ping test lockdowncorp (http://stealthtests.lockdowncorp.com/cgi-bin/ping)

Actual exploit example #6 File Download Extension Spoofing Test (http://secunia.com/internet_explorer_file_download_spoof/)

Actual exploit example #7 All Remote Environment Test lockdowncorp (http://stealthtests.lockdowncorp.com/cgi-bin/envtest)

Actual exploit example #8 NetBios Privacy Test - Login & Computer Name lockdowncorp (http://stealthtests.lockdowncorp.com/cgi-bin/netbioslogin)

Actual Exploit example #9 Malware forced Iframe (http://www.malware.com/forceframe1.html) <- malware is back! See Warning before taking this one!

Actual exploit example #10 AV Eicar test (http://www.eicar.org/download/eicar.com) <--- Simple Eicar test (harmless code)

Actual exploit example #11 Internet Explorer Script Execution Vulnerabilities (http://www.safecenter.net/UMBRELLAWEBV4/execdror5/execdror5-Demo/default.htm) <-- click Go when u get there

Actual exploit example #12 Internet Explorer Script URL Cross-Domain Access Violation Vulnerability (http://www.safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.HTM)

Actual exploit example #13 Internet Explorer Unauthorized Clipboard Contents Disclosure Vulnerability (http://www.infinitybit.com/comsec/clippy.html) <-- select some text and use copy command to get the selected text to your clip board before you take this test

Actual exploit example #14 URI Display Obfuscation Weakness (http://www.zapthedingbat.com/security/ex01/vun1.htm)

Actual exploit example #15 Cross-Domain Policy Vulnerability (http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Xp/main.asp?FramedLocalPage=C:/WINDOWS/PCHEALTH/HELPCTR/System/panels/Context.htm)

Actual exploit example #16 Window.MoveBy/Method Caching Mouse Click Event Hijacking Vulnerability (http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2/HijackClickV2-MyPage.htm)

don't forget to back up notepad.exe for exploit #17

Actual exploit example #17 IE CHM File Execution Weakness (http://www.freewebs.com/arman2/showamp.htm)

Actual exploit example #18 IE URL Spoofing (http://www.microsoft.com
%00@secunia.com/internet_explorer_address_bar_spoofing_test)

Actual exploit example #19 Opera URI Handler Directory Traversal Vulnerability:

Opera users, highlight the green text line below (left mouse hold and drag from the "O" in Opera to the last "e" in .exe), then right click the highlighted line and select "go to url"

opera:/help/..%5c..%5c..%5cwinnt/notepad.exe

Actual exploit example #20 Firebird markLinkVisited Arbitrary Script Code Execution Vulnerability (http://bugzilla.mozilla.org/attachment.cgi?id=130347&action=view)

Actual exploit example #21 IE Object Data exploit (http://www.secunia.com/MS03-032/TEST/)

Actual exploit example #24 IE java applet exploit (http://www.finjan.com/mcrc/demos/java_load.cfm)

Actual exploit example #25 IE activex exploit (http://www.finjan.com/mcrc/demos/activex_load.cfm)

Actual exploit example #26 IE scrap object exploit (http://www.finjan.com/mcrc/demos/exe/demo.doc)

Actual exploit example #27 IE view-source exploit (http://computerbytesman.com/security/notepadpopups.htm)

Actual Exploit example #28 IE img element & dynsrc exploit (http://security.greymagic.com/adv/gm003-ie/)

Actual Exploit example #29 IE Cascading Style Sheets (CSS) (http://security.greymagic.com/adv/gm004-ie/)

Actual Exploit example #30 IE Vulnerable cached objects exploit (http://security.greymagic.com/adv/gm012-ie/vobjcache.asp)

Browser Security Check (http://bcheck.scanit.be/bcheck/) <-- see note below b4 you click on this link

important note: Prior to running the Browser Security check, deactivate popup prevent software. I spoof as IE 'cause this will result in all vulnerability tests being performed (31 tests @ 4/3/04). If you run Privoxy, Proxomitron or Guidescope etc., adjust your filters so cookies, Java & JS are enabled.

Select "Only test for bugs specific to my type of browser" then press start test. Enjoy the ride!

That's it. See voting instructions in message area 2 (next post) below.

****************************************

S²: 8)

peakaboo

_________________

broken exploit links:

Broken exploit example #22 IE RPC DCOM exploit (http://www.secunia.com/MS03-039/TEST/)

Broken exploit example #23 IE globalDgArg exploit (http://security.greymagic.com/misc/globalDgArg)

This is message area 2:


message area 2 was revised to provide Poll Voting Instructions Only.


******************************

Poll Voting Instructions:

voting instructions for 3 categories of testers:

1) Those testing the exploits for the first time please complete all 30 exploits in message area 1 and take the Browser Security check for your browser then vote using Poll response 1 or 8.

2) Those who have been here before, and defeated all previous exploits #9 thru #30 + Browser Security Check, and have not voted before can use either poll response 1 if you fail to defeat all exploits or, poll response 8. The Poll won't allow you to vote again if you have already voted so post your results as I did.

3) Those who already failed 1 or more of exploits #9 thru #30 or the Browser Security check, please retake all 30 exploits + the Browser Security check, if you have not voted please select poll response 1. If you have already voted, sorry you are out of gas on the voting. You may instead post your results.


******************************

see message area 1 (previous post) for all exploit examples;

see post #17 below for links to more info on some of the vulnerabilities

Browser updates by MS are critical in resolving these security issues for IE.

In some cases browser updates may not be adequate. These are the cases in which alternate defenses may be applicable.

Example: exploits 2 & 3 appear to still get through. Alternative defense for me is my AV.

exploit #1 can be defeated by proxo filter iframe killer.

exploit #1 got me guess it's time to update my browser to see if this helps.

exploits #2 thru 4 defeated

LWM,

I appreciate your putting the Admin. Warning message on the exploit page.

I remember the 1st time I ran exploit #1, my pulse rate quickened a bit. :o

exploit #1 may potentially be knocking many out of the box which could explain the lack of poll responses, so I'll move it down the exploit ladder and make it #4 instead of #1 and then highlight it as a difficult exploit.

Strange none of the exploits are working without using any form of defence such as proxomitron on IE 6

I just updated my IE5.5 browser with the latest cumulative patch Q818529 and the malware exploit still gets thru.

Also the other exploits were prevented not by the browser, but by other means.

Looks like MS has some work to do in fixing these security holes below 6. I guess they just say move to IE6, which probably has yet to be discovered security flaws. ::)

OK... did 1/2/3 no probs.. nothing happened... BUT... TEST 4.. ouch...

It tries to download a file, nothing wrong with that you may say.. however, it tries multiple times... I had over 160 "Download File" windows up before I could kill my browser in Task Manager...

ADVICE DO NOT TAKE TEST 4 LOL...

Cheers.

{QUOTE-> quoting: Tassie_Devils link=board=19;threadid=11975;start=0#msg78295 date=1060270734]

OK... did 1/2/3 no probs.. nothing happened... BUT... TEST 4.. ouch...

It tries to download a file, nothing wrong with that you may say.. however, it tries multiple times... I had over 160 "Download File" windows up before I could kill my browser in Task Manager...

ADVICE DO NOT TAKE TEST 4 LOL...

Cheers.
<-QUOTE}
Yep. I agree :) It suck up all my resources and I had to power off manualy. :-[

{QUOTE-> quoting: TAG97 link=board=19;threadid=11975;start=0#msg78317 date=1060283333]
{QUOTE-> quoting: Tassie_Devils link=board=19;threadid=11975;start=0#msg78295 date=1060270734]

OK... did 1/2/3 no probs.. nothing happened... BUT... TEST 4.. ouch...

It tries to download a file, nothing wrong with that you may say.. however, it tries multiple times... I had over 160 "Download File" windows up before I could kill my browser in Task Manager...

ADVICE DO NOT TAKE TEST 4 LOL...

Cheers.
<-QUOTE}
Yep. I agree :) It suck up all my resources and I had to power off manualy. :-[
<-QUOTE}

Hope you both read the admin warning from LowWaterMark and the note from me (peakaboo) about Exploit #4

Anyway the important thing is this is a relatively safe way to see if you are vulnerable to this type of attack. Now that you know you can do something about it if you choose to do so.

I stated at the outset:

{QUOTE->
Browser updates by MS are critical in resolving these security issues for IE.

In some cases browser updates may not be adequate. These are the cases in which alternate defenses may be applicable.

Example: exploits 2 & 3 appear to still get through. Alternative defense for me is my AV.

exploit #4 can be defeated by proxo filter iframe killer. <-QUOTE}

Weird guest confirms IE6 patched is not vulnerable to this exploit even without proxo, but this may depend on your OS (win 9x may be vulnerable with or without IE6).

Ctrl+Alt+Del should kill if you get there fast enough

Guess the poll should now read:

I failed 1 or more of the initial exploits = 2

(possibly more I'm guessing those who fail exploit #4 and have a browser shut down do not come back to answer the poll)

Last person to vote must be clairvoyant, since he/she already defeated vulnerabilities in addendum 1 thru 3 which have not been posted yet. :)

Moderators, if possible please move the 1 vote from:

I defeated initial exploits and addendum 1 thru 3 vulnerabilities

to:

I defeated all 4 exploits listed with the initial poll posted on 8/1/2003

Also if there is a way to lock part of the voting options until I am ready to use, let me know. If I could I would lock options 4 thru 8 till I am ready to use.

I added addendum 1 today with 6 new exploits to try.

peakaboo,

{QUOTE-> Moderators, if possible please move the 1 vote... <-QUOTE}

Sorry, but we can't manipulate votes made ;)

regards.

paul

I could not vote again without registering under a different user name, so I decided to post my result:

poll option #3 (I defeated initial exploits and addendum 1 vulnerabilities ) = 1 vote from me

I ran Opera against all 10 exploits, and it defeated 9 out of the 10 exploits. 8)

It had a little problem with exploit #4. I did not get multiple popup windows. But when I was prompted to cancel the download, Opera froze. Had to restart my pc.

Maybe a setting tweak. Not sure at this point.

Very Nice Browser though.

I think I'll keep. :D

{QUOTE-> quoting: peakaboo1 link=board=19;threadid=11975;start=0#msg80804 date=1061185572]
I ran Opera against all 10 exploits, and it defeated 9 out of the 10 exploits. 8)

<-QUOTE}

BTW, Opera defeats all ten exploits, the force iframe exploit #4 is defeated by tweaking your preferences (under page style - uncheck or disable inline frames)

Not really thread hijacking, since the point of the above exploits is alternative defenses against IE exploits. In this case it is in the form of using a different Browser (Opera) which appears to have its defenses in order to defeat these exploits.

10 out of 10 IE exploits defeated by Opera - not bad.

My Post above (Peakaboo1) regarding Opera's performance on IE vulnerabilities does fit here.

These are IE exploits defeated by alternative defense (using a browser not susceptible to these IE exploits).

4/3/04 update =

added 8 exploit examples

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 30 exploit examples, and Browser security Check before answering the poll.


Also see important Admin Note from LowWaterMark


Enjoy! 8)

additional info on some of the exploits:

alpha exploits reference info:

http://www.securityfocus.com/bid/10690/discussion/

http://www.securityfocus.com/bid/3469/discussion/

Poll exploit reference info:

info about exploits 1, 3, 5, 7 & 8: http://stealthtests.lockdowncorp.com

info about exploit 2: http://privacy.net

info about exploit 4: http://www.pcflank.com/scanner1s.htm

info about exploit 6: http://www.wilderssecurity.com/showthread.php?t=11975;start=msg150423#msg150423

info about exploit #9: http://www.malware.com <== malware debated commercialization of this resource,
but as of 2/1/04 they decided to do the right thing and allow free access to this info and the malware exploit
example.

note from peakaboo about Exploit #9:

Exploit #9 if you are vulnerable (IE 5.5 and below & Win9x) & it runs on your pc may cause your pc to not respond as LWM has indicated - really cool exploit flaming screen appears, use Ctrl+Alt+Del to kill the .exe which should appear multiple times

(if you are not familiar with what I am talking about and your OS is win9x & browser is IE 5.5 or below you may want to skip this exploit and assume you are vulnerable and mark the poll as having failed at least 1 exploit)

info about Exploit #10: http://www.eicar.org/anti_virus_test_file.htm

purpose of exploit #10: to see if your AV catches harmless Eicar code in cache before it officially makes it on to your hard drive (Important note: eicar.org cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer.)

info about Exploit #11: http://www.securityfocus.com/bid/8577/discussion/

info about Exploit #12: http://www.securityfocus.com/bid/9013/discussion/

info about Exploit #13: http://www.securityfocus.com/bid/9643/discussion/

info about Exploit #14: http://www.securityfocus.com/bid/9182/discussion/

info about Exploit #15: http://www.securityfocus.com/bid/9109/discussion/

info about Exploit #16: http://www.securityfocus.com/bid/9108/discussion/

info about Exploit #17: http://www.securityfocus.com/bid/9320/discussion

info about Exploit #18: http://www.secunia.com/advisories/10395

info about Exploit #19: http://www.securityfocus.com/bid/9021/discussion

info about Exploit #20: http://www.securityfocus.com/bid/9329/discussion

info about Exploit #24: http://www.finjan.com/mcrc/demos/java.cfm

info about Exploit #25: http://www.finjan.com/mcrc/demos/activex.cfm

info about Exploit #26: http://www.finjan.com/mcrc/demos/object.cfm

info about Exploit #30: http://security.greymagic.com/adv/gm012-ie/

j4tr:

I have made a switch to an alternative browser.

Testing Opera 7.2 against the 12 IE vulnerabilities & the Browser Security test, my vote is result #4 = I defeated initial exploits and addendum 1 & 2 vulnerabilities.

stubbed my toe on walla, but when I get a chance I'll take a look at that again.

Firebird and other alternative browsers feel free to vote and or post your responses.

Firebird users sure are quite on this thread :)

I'll be taking a look at Firebird once it gets out of beta, but I really like Opera.

j4tr = just for the record

OK i'm the Firebird guinnea pig:

Defeated all! (including extra credits) using Guidescope proxy. ;D

{QUOTE-> quoting: libbo1 link=board=19;threadid=11975;start=15#msg90439 date=1064753493]
OK i'm the Firebird guinnea pig:

Defeated all! (including extra credits) using Guidescope proxy. ;D
<-QUOTE}

Hi libbo1,

Thanks for sharing your Firebird results.

1) If you really want to be a guinea pig try exploit #s 4, 5, 7, 9, 10, 12 and the 2 Super Ads again without Guidescope and post your results. You are under no obligation to do so of course, and this is not a challenge. Do it if you have time and only in the interest of sharing and your own intellectual curiosity.

2) Also, if Guidescope has a log of the filters which are triggered on the super ads, I would be interested in knowing what was triggered. Your response may help facilitate debugging the proxo kicka$$ Ad pages. :)

lol u wanna me to run naked down the street! Guidescope is very good at blocking ads and popups like about 100% Will shed my protective armor in the interest of the test and report back. As for a filter log, it's proprietary info Guidescope doesnt share with its users!

{QUOTE-> quoting: libbo1 link=board=19;threadid=11975;start=15#msg90520 date=1064771132]
lol u wanna me to run naked down the street!
<-QUOTE}

Not exactly :)

{QUOTE->
Guidescope is very good at blocking ads and popups like about 100% Will shed my protective armor in the interest of the test and report back.
<-QUOTE}

It may be a good exercise for you to see how Firebird does on its own in case someone figures out how to bring Guidescope down.

I appreciate your willingness to share.

{QUOTE-> quoting: peakaboo link=board=19;threadid=11975;start=0#msg77174 date=1059799538]

Browser Security check added 9/27/03:

http://bcheck.scanit.be/bcheck/ <---Browser Security ck

important note: deactivate popup prevent software, Privoxy & Proxomitron prior to running the Browser Security check, enable cookies & enable Java & JS.

<-QUOTE}

If you ever want to have some "fun", run all 30 (as of the date of this post) of the Browser Security Tests at the above referenced URL.

I was running Opera 7.2 almost naked (proxo disabled) :) and got dinged for 1 medium risk Vulnerability out of 30, have no idea why... yet...

Browser Security Test Results

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities***0***
Medium Risk Vulnerabilities***1***
Low Risk Vulnerabilities***0

also not sure what the point of this test was:

Test moz91043 - begin

but it sure was long

LOL

********************************
interesting stats on this test

from the link:

Want to know how everyone else is doing on Browser Test? Check our statistics.

**********************

have fun... 8)

hard to draw any inferences from the above Browser Security stats, it would be nice to see a breakout of vulnerabilties by browser type...

Firebird naked run ???

Mozilla Firebird 0.7+ has currently not been tested by http://bcheck.scanit.be/bcheck/ . But I ran all 30 tests anyways. I do not use any web/content filtering apps.

Browser Security Test Results

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities***0
Medium Risk Vulnerabilities***0
Low Risk Vulnerabilities***0

New bugs keep coming! Sign up for announcements of new tests.

Questions about the test? Read the FAQ.

Still having questions? Send us your feedback.

Want to know how everyone else is doing on Browser Test? Check our statistics.

{QUOTE-> quoting: rerun2 link=board=19;threadid=11975;start=15#msg91553 date=1065210926]
Mozilla Firebird 0.7+ has currently not been tested by http://bcheck.scanit.be/bcheck/ . But I ran all 30 tests anyways. I do not use any web/content filtering apps.

Browser Security Test Results

Dear Customer,

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities***0
Medium Risk Vulnerabilities***0
Low Risk Vulnerabilities***0

New bugs keep coming! Sign up for announcements of new tests.

Questions about the test? Read the FAQ.

Still having questions? Send us your feedback.

Want to know how everyone else is doing on Browser Test? Check our statistics.
<-QUOTE}

What version of Sun Java are you running?

Also if you get a chance please answer the post put to Libbo1:

{QUOTE->

Hi libbo1,

...Firebird results.

1) If you really want to be a guinea pig try exploit #s 4, 5, 7, 9, 10, 12 and the 2 Super Ads again without Guidescope and post your results. You are under no obligation to do so of course, and this is not a challenge.
<-QUOTE}




url repaired==bigc

I am running an old version of Sun Java J2SE 1.4.1.03. With Mozilla Firebird 0.7 (nightly build 10-1-2003).

Exploit 4 - Opens up a 'save as' dialog requesting to download foobar.exe. I clicked cancel. In the browser window a black box appears in the upper left and that is it.

Exploit 5 - I believe this is the one where u click on the link and it opens up notepad or something. I clicked on the link and notepad didnt open. Instead I got an 'alert' dialog with a string of random characters... and ending with "could not be found. Please check the name and try again."

Exploit 7 - No file was created on my computer. I also received a dialog saying the sites security certificate has expired and if I should accept or reject. I chose reject. A small gray box also is displayed in the upper left with a red 'x' in it. Nothing else happened

Exploit 9 - 'Save as' dialog opens asking if i want to save demo.doc. Firebird reveals that it is an exe despite the document icon.

Exploit 12 -

MS03-039: Test Result

The vulnerability test has been performed. Please read the result of the test below.

RESULT:
Could not connect to Endpoint Mapper(Port 135/tcp). This could be because you are behind a firewall.


Edit: Forgot the 2 Super Ads. Went to both sites. I am also using an old flash player for Firebird. Forgot the exact version but it was the latest v6. I went to both sites and while they are both littered with ads i did not notice anything particularly annoying or aggravating about the ads. I did not see any floating ads or the kind that will follow your mouse cursor or move up and down as you scroll the page. No pop-ups on the sites either. Even though I turned off Firebird's pop up blocker. Considering the amount of ads both sites loaded pretty quickly. Is there anything I should be looking for in these sites?

Sounds like Firebird works well against these IE exploits on your system.

The only one I thought might cause you a problem was #4. In Opera 7.11 if you run with frames & in line frames enabled you get owned.

I see not even a mild burb on your system. Good job Firebird.

Vulnerabilities 1-12 should be no problem for most systems even running naked.

Sounds like Firebird handled The Superads with no problem. Again great result.

Not sure why Crockett using Firebird .6 got this result:

{QUOTE-> FIrebird 0.6 and Phoenix 0.5 seem to display some information when Javascripts are activated.

I connected from here to the site http://www.leader.ru/secure/who.html

and the results page displays under 'Javascript' the number of sites visited and the fact that I just left www.wilderssecurity.com/ <-QUOTE}

http://www.wilderssecurity.com/showthread.php?t=14249;start=45

But got my attention and confirmed for me why I'm waiting to try Firebird. When Firebird comes out of beta I may give it a try :) Opera 7.2 is a speed demon I hear Firebird is tooooooooo 8)

What are ya packing? CPU ram anti* software etc.




repaired url's==bigc

Well Rerun did the work for me! Same version i'm using 0.7.
Crockett's ver was 0.6. Lotta changes and improvements. I think a feature ppl really like is tab browsing, ie the ability to have numerous browsers open but in one window. Set em up to autoupdate and your favorite site is just a mouse hover away, with no need to refresh!

Firebird 0.6.1

1-3 - nothing

4 - one download dialog box; I cancelled it, and did not recieve any other download boxes

5-6 - nothing

7 - java asked if I wanted to install the applet, I declined and that was the end of it

8 - nothing ever loaded except the gif telling me it was loading ::)

9 - browser dialog box asking what I wanted to do with the .doc file, I cancelled, and that was that

10 - interesting, but it didn't open notepad. I saw google's source, and my win.ini source in a browser tab (that could be because I've tweaked my firebird)

11 - nothing

12 - "RESULT:
Could not connect to Endpoint Mapper(Port 135/tcp). This could be because you are behind a firewall." ...I do not have my firewall on for these tests

Extra credit from ComputerCops - I have a plugin for firebird that blocks flash unless I click on it to enable it. So no flash ads (if that was what the test was for :P)

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all exploit examples and Browser security Check before answering the poll.

{QUOTE-> quoting: weddy link=board=19;threadid=11975;start=15#msg92210 date=1065558157]
Firebird 0.6.1

10 - interesting, but it didn't open notepad. I saw google's source, and my win.ini source in a browser tab (that could be because I've tweaked my firebird)

<-QUOTE}

Good results except for 10.

I'm using Opera, I get a 404 error when I click on the google or win.ini source on the computerbytes page from exploit 10.

You missed 1 test, under Addendum II. Browser Security Test.

Good to know Firebird is out there along with Opera (and others) as alternatives to IE.

I have not used IE since switching to Opera. :)

I'm not totally convinced these browsers are not exploitable, I'm guessing if the same effort to exploit were thrown at either, we would still have a smile but it may not be as broad. ;D 8) :D ;)

{QUOTE-> quoting: peakaboo link=board=19;threadid=11975;start=30#msg92252 date=1065574318]
{QUOTE-> quoting: weddy link=board=19;threadid=11975;start=15#msg92210 date=1065558157]
Firebird 0.6.1

10 - interesting, but it didn't open notepad. I saw google's source, and my win.ini source in a browser tab (that could be because I've tweaked my firebird)

<-QUOTE}

Good results except for 10.

I'm using Opera, I get a 404 error when I click on the google or win.ini source on the computerbytes page from exploit 10.

You missed 1 test, under Addendum II. Browser Security Test.

Good to know Firebird is out there along with Opera (and others) as alternatives to IE.

I have not used IE since switching to Opera. :)

I'm not totally convinced these browsers are not exploitable, I'm guessing if the same effort to exploit were thrown at either, we would still have a smile but it may not be as broad. ;D 8) :D ;)
<-QUOTE}

#10 didn't concern me too much since it just did a view source that showed up in a browser tab. I'm just glad it wasn't able to force a program open ;D

OOPS on the "Browser Security Test"; actually I did start it, but it quit working after loading that 900GB page LOL. I forgot to add that to the report since it stopped working. Now it won't run because I'm killing pops, I turned off that option LOL, guessing I have that configured elsewhere too, but forgot about it.

I agree with you on the "if the effort were put to these browsers" thoughts. It's probably just a matter of time, when more switch over. Hope I'm wrong.

Looks like M$ (Microsoft) is taking security issues and raising to the critical level of importance where it belongs. This observation is based solely on their efforts recently to patch their products and address known vulnerabilities (see note from PrivX Solutions below). Past history indicates a definite move toward addressing all known vulnerabilities.

Microsoft is a big target.

They need to continually provide user incentive to upgrade in order to stay in business and generate revenue. Can't fault them for this.

Interesting to me to see Microsoft maligned as being evil in some camps. Also interesting to see those trying alternatives struggle with what Microsoft makes so easy and transparent for the average user.

http://www.wilderssecurity.com/showthread.php?t=14574

IE browser for me is dead (though unfortunately I still need to keep it on my system due to tight integration with the OS). I'm running Opera and using M2 for mail client, and am very pleased. I think I can safely dump Netscrap 4.7 (my backup to IE). I will try Firebird once it comes out of beta. I'm still running Win9x, and it performs well. Waiting on Longhorn (2006?) could be a while. :)

I will continue to update my poll test list here, but since switching to Opera I am finding greater peace of mind on the security issue, and I don't have to worry about updating those IE patches.

**************************************

excerpt note from PrivX Solutions:

http://www.pivx.com/larholm/unpatched/

... Recently, we have seen a sea change in Microsoft?s commitment to rid its IE browser of the vulns that PivX Solutions and other third party researchers have identified. Given Microsoft?s recent positive actions together with the current rise in attacks against IE we have agreed to give Microsoft a good faith reprieve and have taken down our ?Unpatched? page. This was done in both a spirit of cooperation and for the good of the internet as a whole. As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods. ENOUGH IS ENOUGH! ...

2/11/04 update = Addendum IV:

added 3 new IE exploits

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 18 exploit examples, and Browser security Check before answering the poll.


Also see important Admin Note from LowWaterMark


Enjoy! 8)

2/11/04 update = Addendum IV:

added 3 new IE exploits

See page 1 of this thread, message area 1 of this poll for all 18 exploit examples, and Browser security Check before answering the poll. [hr]


My result thru Addendum IV exploits:

Poll response #6 - I defeated all 18 exploits + the 30 exploits from the Browser security check.

using alternative Browser & Scott's triangle :D

3/20/04 update = Addendum V:

added 3 new IE exploits plus eicar AV test

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 22 exploit examples, and Browser security Check before answering the poll.
[hr]

My result thru Addendum V exploits:

Poll response #7 - I defeated all 22 exploits + the 30 exploits from the Browser security check.

using alternative Browser, Scott's triangle, and Good AV & Firewall protection ;)

Just ran across this nice little exploit will add it here for now:

File Download Extension Spoofing (http://secunia.com/internet_explorer_file_download_spoof/)

After you have clicked the link above:
If your Internet Explorer/Opera is vulnerable to this issue, a "File Download" dialog box will be displayed with the field "File name" or "File" being spoofed to be a .pdf file.

If you choose "Open" in the "File Download" dialog box, the file will be executed as an HTML executable instead of being displayed with your favorit PDF viewer. This happens even though the filename seems to be "Secunia_Internet_Explorer.pdf" or "Secunia.pdf".

[hr]
Solution:
1) Do not use "Open" file, always save files to a folder as this reveals the suspicious filename.

2) or if you use Proxomitron:

Computer Cops forum Proxomitron ref for filter below (http://www.computercops.biz/postt15379.html&sid=91d401d81017117393a123210975de6d)

Mizz Mona: has written a Header filter which allows you to see the actual file name & recommends a "no" for open request <--- Note: I tried this filter, and the one by Proxfox, both work, but the one from Mizz Mona is cooler ;)

In = TRUE
Out = FALSE
Key = "Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] [Mizz Mona] (in)"
Match = "\1{\2}\3&$ALERT(*** WARNING ***\nIE Attachment-Spoof Exploit Detected!\n\n\1{\2}\3)($CONFIRM(Allow only the attachment below? (Safest action= NO)\n\n\1\3)|$SET(1=\k)$SET(3=))"
Replace = "\1\3"

[hr]
more info here:

http://secunia.com/advisories/10736/

&

http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/

4/3/04 update = added 8 exploit examples

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 30 exploit examples, and Browser security Check before answering the poll.

If you defeat all Exploit examples and Browser security tests, send me (peakaboo) a PM and I'll add you to S² (S squared or Secure Surfer) shown at the end of the Exploit Examples page 1, message area 1 (1st posts)

All Browser makes & models are welcome. Put up all your defenses!

*** if you have trouble stealthing your IP address (Exploit Examples 2, 5, & 7) and you run proxomitron PM me, and I'll point you to some stealthing info - u r 5 min or less away from a stealth IP addy***

Also see important Admin Note from LowWaterMark


Enjoy! 8)

Peekabo

ok I'm game for the test.....will go them all.....using IE..firewall..anti-virus....an my own made block list.......

Nope....canceled test......wont go to lockdown website......my pref not to

{QUOTE-> Nope....canceled test......wont go to lockdown website......my pref not to <-QUOTE}


Anyone who has a problem with lockdown - just skip those 5 tests, vote, and post your results saying you skipped Lockdown tests.

The lockdown exploits are clearly marked (exploit #1, 3, 5, 7 & 8 ).

The Lockdown exploits are easy to defeat. I understand this is not the issue; but rather due to past perceptions and or issues, some may choose not to go to their site.

Personally I feel those 5 tests are pretty good, and if my pc were vulnerable I sure would like to know sooner rather than later, so I could attempt to do something about it before getting owned.

_____________________________________________

so again:

4/3/04 update = added 8 exploit examples

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 30 exploit examples, and Browser security Check before answering the poll.

If you defeat all Exploit examples and Browser security tests, send me (peakaboo) a PM and I'll add you to S² (S squared or Secure Surfer) shown at the end of the Exploit Examples page 1, message area 1 (1st posts)

All Browser makes & models are welcome. Put up all your defenses!

*** if you have trouble stealthing your IP address (Exploit Examples 2, 5, & 7) and you run proxomitron PM me, and I'll point you to some stealthing info - u r 5 min or less away from a stealth IP addy***

Also see important Admin Note from LowWaterMark


Enjoy! 8)

I wrote a Proxomitron Security Pack for all Browsers ^_^

http://www.kye-u.com/proxo/downloads.php?id=cfgpacks

You can download it from there. Please consider signing up on our forums too! We need more members.

{QUOTE-> I wrote a Proxomitron Security Pack for all Browsers ^_^

http://www.kye-u.com/proxo/downloads.php?id=cfgpacks

You can download it from there. Please consider signing up on our forums too! We need more members. <-QUOTE}

Any more info on what your filters contain?

I took a quick look at the filters, while I'm no security expert, I don't think the filters in there are useful. Many of them address exploits that are patched already, while some are far too specific and won't capture even the slightest variant of the same track.

{QUOTE-> I wrote a Proxomitron Security Pack for all Browsers ^_^

http://www.kye-u.com/proxo/downloads.php?id=cfgpacks

You can download it from there. Please consider signing up on our forums too! We need more members. <-QUOTE}

kye-u,

Welcome to this thread. I appreciate your contribution. Also good to see your forum back. I will be visiting again ;) always good to get the latest proxo tweaks and share.

For those who are interested, the following is a list of exploits which kye's filter is targeting. I can personally vouch for the following filter in your pack:

"Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] [Mizz Mona]

as post #38 above indicates - it is a sweet filter - thanks for including in your pack.

When I get time, I'll take a look at the rest. Keep up the good work.

Final thought is one of the best defenses against exploits is to stop using IE and instead pick an alternative browser and make it your default browser.

http://www.newsforge.com/article.pl?sid=04/07/01/123233
________________________________

from kye's filter pack:

## Kye-U Security Pack
##

[HTTP headers]
"Content-Disposition: File Extension Exploit [Kye-U] (In)"
"Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] [Mizz Mona] (in)""Location: Local Resource Exploit [Kye-U] (In)"
(Header: Local Resource Exploit attempt detected at \1::\2)"

[Patterns]
Name = "Block XSL Scripts"
Name = "Defuse IE6 Crash - Absolute CSS Bug"
Name = "Defuse "While-Loop" Browser Bombs"
Name = "IFrame File Exploit [Kye-U]"
Name = "Invisible Object Tag [Kye-U]"
Name = "Hide ClipBoard Contents [Kye-U]"
Name = "IE: Active Scripting Exploit [Kye-U]"
Name = "IE: Classic Folder View Exploit [Kye-U]"
Name = "IE: Cross Site Exploit [Kye-U]"
Name = "IE: CSS Exploit [Kye-U]"
Name = "IE: CSS Read Local File Exploit [Kye-U]"
Name = "IE: Cross-Domain Policy Exploit [Kye-U]"
Name = "IE: Defuse "Form Action+" Browser MailBombs"
Name = "IE: Expose Local Files Exploit [Kye-U]"
Name = "IE: File Download Error Message Exploit [Kye-U]"
Name = "IE: JS Exception Exploit [Kye-U]"
Name = "IE: Local Zone Access Exploit [Kye-U]"
Name = "IE: Object Data Exploit [Kye-U]"
Name = "IE: Favorites Read Exploit [Kye-U]"
Name = "IE: Restricted Cookie Exploit [Kye-U]"
Name = "IE: Search-Pane Exploit [Kye-U]"
Name = "IE: showHelp() Exploit [Kye-U]"
Name = "IE: Spoofed Address [Kye-U]"
Name = "IE: Status Bar Spoof Exploit [Kye-U]"
Name = "IE: Target Frame (Prevents Third-Party Frame Injection into Microsoft) [Kye-U]"
Name = "IE: View-Source Exploit [Kye-U]"
Name = "IE+XP: Kill & Alert HCP Links"
Name = "IE5/Opera Exploit (IMG SRC)"
Name = "IE5 Exploit (FORM Big Size Input)"
Name = "Mozilla: Java Crash Bug [Kye-U]"
Name = "Mozilla: Javascript Exploit [Kye-U]"
Name = "Mozilla: Arbitrary Script Execution Exploit [Kye-U]"
Name = "Mozilla: 0-Width GIF Exploit [Kye-U]"

Updated the pack once again: http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

Glad to see you so active and dedicated to this topic ^_^

And can you tell me where to find more information on tests #16, 20 and 25? Thanks!

{QUOTE-> And can you tell me where to find more information on tests #16, 20 and 25? <-QUOTE}

Kye, see post #17 (first page of this thread). It should provide reference info. for most of the exploits if available.

Appreciate your adding the update link.

I can appreciate what you are doing, because I know that when someone grows accustomed to a certain browser version, sometimes they just don't want to move away from that version if there is another viable solution (depending on the nature of the security issue). This applies not only to IE but to the Browser alternatives too.

Must've overlooked that part...thanks ^_^

BTW:

Pack Updated: July 15, 2004 - 6:17 PM EST

http://www.kye-u.com/proxo/forums/index.ph...=10&t=131&st=0#

-Fixed False Matching Filter (IE: Active Scripting Exploit [Kye-U])

Opera version 7.52

Peakaboo, a major update today: http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

ChangeLog: http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=90&#

Thanks Kye.

Not sure what to make of this "news" due to the lack of cross confirmation, but I am familiar with the source poster Paul so I'm taking this as fact.

http://www.computercops.biz/article-5228-nested-0-0.html

Sad.

I knew of Scott only via his freeware Proxomitron and a couple of direct posts. He was a good guy. His product was exceptional. He touched many.

RIP SRL (your greatness lives on through Proxomitron and the many lives you have touched and made better)

Is this thread discussed in great detail anywhere on Wilders?

As in Cause, Effect and most importantly SOLUTION of every exploit (1 to 4, and 1 to 30).

Cheers ;D

Peakaboo, updated once again.

Last Updated: July 17, 2004 - 3:40 PM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Added descriptions to all of my filters

-Modified (Hide ClipBoard Contents [Kye-U])
--Made it also match another function

-Renamed (IE: Restricted Cookie Exploit [Kye-U])
--Changed to (Restricted Cookie Bypass Exploit [Kye-U]) as it applies to multiple browsers

Kye, thanks for the update. I d'ld about 35 min ago. Nice touch adding descriptions.

Is this filter set compatible with multiple versions of proxo.

I'm getting a significant slow down after merge (hope I did it right - merged only web & header filters with my own custom blend and saved as separate filter). I am working my way through the filters keeping those which are not duplicates of filters I already have function wise & those relevant to my specific Browser or OS type to find the culprit for the drag.

{QUOTE-> I'm getting a significant slow down after merge (hope I did it right - merged only web & header filters with my own custom blend and saved as separate filter). <-QUOTE}

I'm trying to find the filter(s) that are causing the slow down.

Maybe it's the sheer amount of filters...

Maybe I should merge certain filters together? ;D

{QUOTE-> Is this thread discussed in great detail anywhere on Wilders?

As in Cause, Effect and most importantly SOLUTION of every exploit (1 to 4, and 1 to 30).

Cheers ;D <-QUOTE}

Blackspear,

To answer your question in a global sense, part of the essence and raison
d?être of Wilders Security is also the solution for many of the exploits.

Try a search on threads or posts for either:

alternative browsers or layered defense

and you will pull up volumes.

some helpful links:

http://www.wilderssecurity.com/showthread.php?t=41013

http://www.wilderssecurity.com/showthread.php?t=5367&page=1&pp=25

http://www.wilderssecurity.com/showthread.php?t=41603

http://www.wilderssecurity.com/showthread.php?t=41074

LWM and many others say your best defense is between your ears.

To answer your question specifically, are there threads here which address this thread, I would say the answer is no because the thread addresses the real issue see:

posts in this thread 3, 15, 17, 32&33, 38 46 and Kye's work re: security filter pack for proxomitron.

{QUOTE-> ...To answer your question specifically, are there threads here which address this thread, I would say the answer is no because the thread addresses the real issue see:

posts in this thread 3, 15, 17, 32&33, 38 46 and Kye's work re: security filter pack for proxomitron.[/b] <-QUOTE}

Thanks for your reply Peakaboo.

The basic answer seems to be to use an alternative browser such as Opera.

What about Firefox or Mozilla?

As well as use Proxomitron - I have downloaded and installed this.

and Kye U's filters - I am having trouble installing these filters, as in no idea how to :(

Cheers ;D

Blackspear,

You probably have a good handle on this, but for those who may run across this discussion:

1) alternate browser & email client is part of the answer

2) surfing & email habits is part of the answer (between the ears common sense)

3) email previewer like mail washer or frontgate

4) Mozilla is good (watch firefox beta very promising speedster) it should be coming out of beta soon, until it does, let others be the guineas

5) Proxomitron has a learning curve and until you get the hang of it, you may want to stick with default configs which come with Proxo or try sidki, alto sax, or jd5000 configs. When you get the hang of it custom fit your own config for speed.

implement Kye's work as he refines his great WIP

6) re: layared defense call up that post I referenced, pay particular attention to

+ firewall
+ Browser
+ AV
+ Process Guard (free & use unlimited MD5 for Ap controll)
+ Application sandbox - like AB or SSM or even the MD5 of Process Guard
+ Spyware killer - SS&D
+ Proxo - ad, js, js script, Iframe, referrer, cookie out, etc., killer and all around great http html filter.

Blackspear, go here to learn how to merge filters:

http://www.kye-u.com/proxo/forums/index.php?showtopic=2

And another good site to read up on Proxomitron, and perhaps to climb the learning curve is http://www.sankey.ws/proxomitron.html

{QUOTE-> Blackspear,

You probably have a good handle on this, but for those who may run across this discussion:

1) alternate browser & email client is part of the answer

2) surfing & email habits is part of the answer (between the ears common sense)

3) email previewer like mail washer or frontgate

4) Mozilla is good (watch firefox beta very promising speedster) it should be coming out of beta soon, until it does, let others be the guineas

5) Proxomitron has a learning curve and until you get the hang of it, you may want to stick with default configs which come with Proxo or try sidki, alto sax, or jd5000 configs. When you get the hang of it custom fit your own config for speed.

implement Kye's work as he refines his great WIP

6) re: layared defense call up that post I referenced, pay particular attention to

+ firewall
+ Browser
+ AV
+ Process Guard (free & use unlimited MD5 for Ap controll)
+ Application sandbox - like AB or SSM or even the MD5 of Process Guard
+ Spyware killer - SS&D
+ Proxo - ad, js, js script, Iframe, referrer, cookie out, etc., killer and all around great http html filter. <-QUOTE}

Many, many thanks Peakaboo, GREAT reply, that is what I was looking for.

I already do most (now all) of #6.

I started to do some of the exploits to find I was very deep in a quagmire and with each step finding myself bogged even further. I was wondering if there were multiple programs required to fix these or there was something simpler, and indeed there is.

When I first tried, I had 50+ web pages opening, even with grouping I wasn't able to stop this, a hard power off was the only option, Control+Alt+Delete did not work. I then installed Proxomitron and tried again, this time only a second webpage opened with rapid-fire clicks going on, 2 r/clicks later and I was able to close the group.

My second try found a full screen of blue, holding the escape key down I was able to see the task bar and r/click and close the group... At this point I realised I was out of my depth, and hence the question...

Again, many thanks for your reply. I'm going to try Firefox, and both ask and play around with Proxomitron.

Cheers ;D

{QUOTE-> Blackspear, go here to learn how to merge filters:

http://www.kye-u.com/proxo/forums/index.php?showtopic=2

And another good site to read up on Proxomitron, and perhaps to climb the learning curve is http://www.sankey.ws/proxomitron.html <-QUOTE}

Many thanks Kye-U, I shal go and have a look :)

Cheers ;D

{QUOTE-> Many thanks Kye-U, I shal go and have a look :)

Cheers ;D <-QUOTE}

No problem Blackspear. I found Proxomitron confusing when I first installed it, and I had to get JD5000's filter set and analyze it, and found that it was pretty easy. The most important thing that I found was to get the Bytes Limit big enough to match real-life situations, or the amount of coding you're trying to match.

The other thing was the URL. Most of the time, you should put, "(www.|)yahoo.com/"

The (www.|) part means that it'll look if there's www., OR (the "|") nothing (the nothing before the closing bracket).

You'll get the hang of it in about 2 weeks if you read up a lot and learn the functions of the symbols... \0-\9, \w, \k, $ALERT(), etc. The Headers section is a bit more complicated, and that's where I'm a newbie at. :-X

BTW:

Pack Last Updated: July 18, 2004 - 12:33 AM EST

http://www.kye-u.com/proxo/forums/index.ph...topic=131&st=0# (http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#)

-Removed (IE: Meta Tag Exploit [Kye-U])
--Overlapped (IE: window.createPopup [Kye-U])

-Modified (Opera: URI Handling Exploit [Kye-U])
--Added (%2F) to match

-Modified (Opera: Malformed Server Name Exploit [Kye-U])
--Changed (%) to [%] on Advice

Last Updated: July 18, 2004 - 1:00 AM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Modified (IE: Local Zone Access Exploit [Kye-U])
--Fixed False Positive

Version 4.07 is out!

Last Updated: July 18, 2004 - 1:13 PM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

Hi Kye,

I dld 4.07. Good job!

If I can offer you some feed back:

1) I like the info you provide on the filters such as the url to view more info.

My suggestion here is if you have the following info include it:

add "latest version vulnerable"

example for filter: Opera: Permanent Denial Of Service Exploit [Kye-U] the info you have is:

A known exploit in older versions of Opera. An excessively long "news:" URL could crash Opera.

http://www.securityfocus.com/bid/7430/info/)

What would help me is if I saw right up front something like

latest version vulnerable 7.11 An excessively long "news:" URL could crash Opera.

http://www.securityfocus.com/bid/7430/info/)

Luckily with the security focus site, the latest version vulnerable info is available I think under the info tab

2) I'm not sure if I got a false positive on the following filter when I entered this thread, but the filter sure matched:

Match 689: Opera: URI Handling Exploit [Kye-U]

3) Seems like the following filter may have been causing my slow down. When I unchecked it my slow down virtually disappeared. I'll continue to test to verify:

Opera: Malformed Server Name Exploit [Kye-U]

_______________________________


Good job on the following:

I went to Opera: Address Bar Spoofing Exploit [Kye-U] filter

and surfed to the link referenced and tried the exploit which is supposed to work on Opera 7.52 and possibly older versions, and your filter worked perfectly.

Match 783: Opera: Address Bar Spoofing Exploit [Kye-U]

good job Kye!

I need to go back and see if I get owned without your filter ;)

If you would prefer this feedback either on your site or via email just PM me.

{QUOTE-> My suggestion here is if you have the following info include it:

add "latest version vulnerable"

2) I'm not sure if I got a false positive on the following filter when I entered this thread, but the filter sure matched:

Match 689: Opera: URI Handling Exploit [Kye-U]

3) Seems like the following filter may have been causing my slow down. When I unchecked it my slow down virtually disappeared. I'll continue to test to verify:

Opera: Malformed Server Name Exploit [Kye-U] <-QUOTE}

Thanks for your input! Version 4.08 is out. But unluckily, I didn't look at your post when I released it. :-X

1) I will for sure look into including the versions that are vulnerable in each description in version 4.09.

2) Your first post includes the Opera exploit:

opera:/help/..%5c..%5c..%5cwinnt/notepad.exe

That's why ;)

3) I will look into that filter and try to fix it somehow.

Thank you! ;)

Version 4.09 is now out.

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Added Version(s) Vulnerable in Descriptions

-Modified most of the filters' URL Match $TYPE() information to possibly decrease CPU load

-Modified (Opera: Malformed Server Name Exploit [Kye-U])
--Made the match a little more detailed

-Renamed (Mozilla: 0-Width GIF Exploit [Kye-U]) to (0-Width GIF Exploit [Kye-U])
--Applied to multiple browsers

-Renamed (Mozilla: Javascript Exploit [Kye-U]) to (Javascript Location Exploit [Kye-U])
--Applied to multiple browsers

{QUOTE-> Version 4.09 is now out.

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Added Version(s) Vulnerable in Descriptions

-Modified most of the filters' URL Match $TYPE() information to possibly decrease CPU load

-Modified (Opera: Malformed Server Name Exploit [Kye-U])
--Made the match a little more detailed

-Renamed (Mozilla: 0-Width GIF Exploit [Kye-U]) to (0-Width GIF Exploit [Kye-U])
--Applied to multiple browsers

-Renamed (Mozilla: Javascript Exploit [Kye-U]) to (Javascript Location Exploit [Kye-U])
--Applied to multiple browsers <-QUOTE}

Very Nice job Kye,

I like the addition of the readme text file providing instructions which even a newbee should be able to follow on merge, the reason for your filter set, what's new, getting help etc

I'm glad you were able to add my suggestion of adding the latest version vulnerable info. It helps those sifting through the filters to determine which filters they need and which they can do without.

Preliminary testing indicates much improved speed. I'll take a look later since right now I have a number of Aps running.

Very impressive and professional.

Congrats. ;)

Ignore the whiners who add nothing to the process. As you know SRL (may he RIP) and many others ran/run into these types quite often.

Nothing wrong with constructive suggestions offered in the spirit of building and improving. Keep up the great work!

Version 4.10

Last Updated: July 19, 2004 - 11:18 PM EST

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

-Disabled uncommon/old exploits, in order to lower CPU usage

-Modified (IE: Local Zone Access Exploit [Kye-U])
--Fixed (), [] issue
--Fixed False Positive

-Removed (Javascript Location Exploit [Kye-U])
--Overlapped with (View-Source Exploit [Kye-U])

But where are the latest exploits on this testpage? I use IE 5.01 and I would like to know if all the exploits on Secunia are covered on this page.(http://secunia.com/product/9/)

I passed all but 2 tests with Maxthon (an IE shell) with Active Scripting enabled and ActiveX disabled. Only exploit 9 (computer ran out of resources) and exploit 27 (notepad popup) gave me troubles. And exploit 2 (privacy test) showed quite a lot information about my system, but this can be prevented with referrer blocking I think.

So I would like to see a demo of download.ject and the other latest high risk threats. And btw, with the Browser Security Test I only get 1 low risk vulnerability, so it seems like I'm pretty save, but I'm not sure of course. Any feedback will be appreciated. Oh and I'm also not running a realtime viruscanner or sandbox, just a firewall (ZA Pro).

Peakaboo, version 4.12 is now out. It significantly reduces the CPU load.

Version 4.12

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

Last Updated: July 20, 2004 - 6:35 PM EST

-Dramatically fixed CPU issue

-Added (URL-Killer: Disable Script URL Exploits [Scott L.] (Out))

-Added (IE: Javascript location.assign Exploit [Kye-U])
http://www.securityfocus.com/bid/10689/info/

-Removed (Cross-Domain Policy Exploit [Kye-U])

-Removed (window.MoveBy [Kye-U])

-Removed (IE: Cross Site Exploit [Kye-U])

-Removed (IE: Javascript Invalid "For" Exploit [Kye-U])

-Removed (IE: Non-FQDN URI Exploit [Kye-U])

-Removed (IE: window.createPopup [Kye-U])

Kye,

Thanks for the update. Glad you got that CPU issue resolved.

If you are looking to delete more filters, maybe consider only including filters above your "designated base" filter set. You might select your favorite secure filter set say from sidki or whomever.

Simply add filters to your set which add incremental value or a better way (faster more efficient etc).

Example if you have multiple exploits which have as their method of delivery iframe and your "designated base" filter set has an iframe killer filter then maybe there is no need to have another filter which deals with iframe. Same for Js type delivery exploits etc

I'm sure you are doing something like this anyway. Just a thought.

Keep up the good work. 8)

{QUOTE-> But where are the latest exploits on this testpage? I use IE 5.01 and I would like to know if all the exploits on Secunia are covered on this page.(http://secunia.com/product/9/)

I passed all but 2 tests with Maxthon (an IE shell) with Active Scripting enabled and ActiveX disabled. Only exploit 9 (computer ran out of resources) and exploit 27 (notepad popup) gave me troubles. And exploit 2 (privacy test) showed quite a lot information about my system, but this can be prevented with referrer blocking I think.

So I would like to see a demo of download.ject and the other latest high risk threats. And btw, with the Browser Security Test I only get 1 low risk vulnerability, so it seems like I'm pretty save, but I'm not sure of course. Any feedback will be appreciated. Oh and I'm also not running a realtime viruscanner or sandbox, just a firewall (ZA Pro). <-QUOTE}

Rasheed,

The 30 exploits + browser exploit test designated for the poll are static at this point. New exploits will be added as they come along as Alpha exploits A-Z.

If you have a link to an exploit you want to see PM or post a link and I'll add as an Alpha exploit, the next time I do an update to post #1.

The reason I have a base set of tests is for consistency, and to provide a base level of issue exploits which if you get by the base exploits you can have a modicum of confidence that you are on the right track security wise. Admittedly the base will become old but hopefully it will still be relevant going forward as a base measure.

If you need some help getting over 2, 9, & 27 holla ;)

Also I presume you had no problem with the Alpha exploits since you did not mention.

Hi Peakaboo,

I also didn't have any problem with the alpha exploits. I have to say that I also didn't use proxy software like Proxo but I did have my (quite powerful) popupblocker enabled.

But I would like to see demo's of all the exploits on Secunia's page. I also read yesterday on a page that IE 5.01 isn't vulnerable to download.ject, doesn anyone know if this is true? And about 2, 9 and 27, PM me about it please, I don't consider them to be high risk, but any info is always welcome. ;)

{QUOTE-> But where are the latest exploits on this testpage? I use IE 5.01 and I would like to know if all the exploits on Secunia are covered on this page.(http://secunia.com/product/9/)
And exploit 2 (privacy test) showed quite a lot information about my system, but this can be prevented with referrer blocking I think.
. <-QUOTE}

Referrer blocking blocks only the referrer. But since when did Maxthon have that?

Hi,

It could be in one of the next versions, Maxthon rules!!! :) Did you know that it actually fixed a unpatched hole in IE?

Be very careful with Ad-muncher in (MYIE2) now Maxthon as it does 'call home'

I tried MYIE2 for a short time and quite liked it but as it is base on IE 5.01 what will happen when SP2 is released and requires IE6 for the full function of the gold bar and security settings?

Peakaboo,

Version 4.13 Released:

http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#



-Added (OnUnload Unloader [Scott L.])

-Added (IE: "Shell" Cross Zone Exploit [Kye-U])
http://www.securityfocus.com/bid/9628/info/

-Modified (IE: showHelp() Exploit [Kye-U])
--Added ClassID, renamed to include giver of information, Siamesecat

-Modified (Prevent file access [Siamesecat])
--Made it match with IMG tags
--Fixed false positive

-Removed (IE: Expose Local Files Exploit [Kye-U])

-Removed (IE: Local Zone Access Exploit [Kye-U])

-Removed (IE: Meta Tag Foreign Domain Exploit [Kye-U])

-Removed (Opera: Address Bar Spoofing Exploit [Kye-U])

Amazing... my firefox browser version 0.9.2 defeated all the vulnerabilities! ;D

{QUOTE-> Amazing... my firefox browser version 0.9.2 defeated all the vulnerabilities! ;D <-QUOTE}

One of the most important things you can do to improve your security is use an alternative browser.

After switching it is important to keep your browser version updated as no software is perfect, it is just a matter of time before someone finds the holes.

That said Firefox and others like Opera, Kmeleon etc appear to place a high priority on providing a secure product as the gif below indicates the holes are there but they are few, and if you are on beta 0.9.2 you should be clear on all known vulnerabilities to date (same for Opera 7.53).

Post #59 shows additional steps you can take to be more secure on the net.

^^^

Exactly, with all this focus on IE you will almost forget that Mozilla and Opera have security issues too. At the moment I browse sites that use javascript only with Opera, but I haven't patched that in a while LOL.

By using IE 6 Sp1....which is ALL my defenses....IE passed with flying colors.

{QUOTE-> By using IE 6 Sp1....which is ALL my defenses....IE passed with flying colors. <-QUOTE}

Bubba, glad to hear you did well with IE 6 Sp1.

For most the recommended solution to browser exploits is a combination of moving to an alternate browser and additional layered defenses. See post #59 page 3.

As noted in post #74 the 30 exploits + browser test become a reference point only test base for the poll, to show the impact of using old unpatched IE versions of the past. If M$ improves their track record going forward, you will see fewer IE exploits on a relative bases listed in the alpha exploits. The alpha exploits are where I add the new exploits going forward from 4/3/04.

{QUOTE-> from post #74:

The 30 exploits + browser exploit test designated for the poll are static at this point. New exploits will be added as they come along as Alpha exploits A-Z.

The reason I have a base set of tests is for consistency, and to provide a base level of issue exploits which if you get by the base exploits you can have a modicum of confidence that you are on the right track security wise. Admittedly the base will become old but hopefully it will still be relevant going forward as a base measure. <-QUOTE}

Note also that according to the test info descriptions, IE 6 SP1 is vulnerable to at least the following 2 listed alpha exploits:

Microsoft Internet Explorer Popup.show Mouse Event Hijacking Vulnerability

Microsoft Internet Explorer JavaScript Desktop Spoofing Vulnerability

Post #17 page 1 has the links to get you to more data on the above 2 alpha exploits.

{QUOTE->
For most the recommended solution to browser exploits is a combination of moving to an alternate browser and additional layered defenses. <-QUOTE}

Very much agree that IE is NOT a browser for the masses to use because in order to use IE securely one needs to understand it's capabilities....something most users, much less the masses, have any desire of doing. As for a layered defense....that is a given if one is to stay secure when browsing today's World Wide Web.

{QUOTE->
Note also that according to the test info descriptions, IE 6 SP1 is vulnerable to at least the following 2 listed alpha exploits:

Microsoft Internet Explorer Popup.show Mouse Event Hijacking Vulnerability

Microsoft Internet Explorer JavaScript Desktop Spoofing Vulnerability

Post #17 page 1 has the links to get you to more data on the above 2 alpha exploits. <-QUOTE}

Actually....IE 6 SP1 is exploitable with most ALL those above mentioned vulnerabilities....BUT....with a properly secured IE it's worse than watching paint dry :)


One of the things that bothers me most is the move to alternate browsers without at least attempting to learn the capabilities of IE. Hopefully I'm wrong....but now the evil doers are probably burning the midnight oil finding holes in these alternate browsers of users that are still clueless when it comes to securing their Internet travels. While some of these alternate browsers will indeed offer better protection for some....a little knowledge is still needed or they will be right back where they were....Not practicing safe Hex.

I have keep-all-software-up-to-date policy for my computer, which means all the software on my computer is always up-to-date.

A bit OT: I've heard that the filters that Kye-U provides don't really help against all these IE exploits, what's up with that?

{QUOTE-> A bit OT: I've heard that the filters that Kye-U provides don't really help against all these IE exploits, what's up with that? <-QUOTE}

Rasheed,

Can you be a little more specific, which exploits do the filters not work against? Did you just hear this or did you experience this? If you heard it and you have a link post it.

I'm sure Kye is open to any positive suggestions for improving his filters.

Also as you are aware proxo was never intended as a main line defense against IE exploits, a local proxy like proxomitron can be part of a total layered defense.

{QUOTE-> A bit OT: I've heard that the filters that Kye-U provides don't really help against all these IE exploits, what's up with that? <-QUOTE}

I'd say it covers most of the more recent ones, for the latest version of IE (5 - 6)

I'm sure that it's better than nothing at all :)

I'm not sure if it's a good idea to post the link, but I do know that the people who are saying this are no security newbies.

I mean if the filters are not helping to elinimate these security problems, it's a bad thing to give people a sense of false security of course.

So let me get this clear KyeU, you are saying that all the filters you provide will solve the known exploits in IE? Did people test this? Don't get me wrong, I'm not an expert myself, it's obvious you know more about this subject than me, so maybe you can give me some info. :)

{QUOTE-> So let me get this clear KyeU, you are saying that all the filters you provide will solve the known exploits in IE? Did people test this? Don't get me wrong, I'm not an expert myself, it's obvious you know more about this subject than me, so maybe you can give me some info. :) <-QUOTE}

My filters will solve most of the recent exploits discovered in IE. I looked at examples of each exploit, and created filters to fix them.

For example, the filter "IE: Javascript Full Screen Exploit [Kye-U]" has this in its matching section:

.show\(*screen.(width|height)*\)

This will detect this code on this site:

spoofwin.show(screen.width/2-59,screen.height/2-68,250,40)

http://freehost07.websamba.com/greyhats/dlwinspoof.htm

It works by looking specifically for the ".show(screen.width OR height)"

Check for more examples here: http://www.securityfocus.com/bid/3469/exploit/

OK, thanks for the info, it looks good to me, I'm going to have a talk with the folks that were not impressed by your filters. :)

I just clicked on this poll and got a trojan detected pop up. see screen shot

{QUOTE-> I just clicked on this poll and got a trojan detected pop up. see screen shot <-QUOTE}
Don't worry bigc, you can get rid of the trojan completely with TDS-3. Now that's the BEST solution for killing trojans. :D

Mcafee will delete it if it is set to. I had it set to clean and quarantine. what is interesting is that the popup warning came from this thread on this forum.

bigc

There's enough for all to go around! ;D Part of the test! :o
Just a trigger BigC.....I think ;)

GF

Must be I don't mind sharing ;D

sorry i have problem understanding this test..........

I did the Broswer test at http://bcheck.scanit.be/bcheck/
And i pass them. Does it mean i don't need to do the 30 test included in the 2nd Post.

Also the alpha Explosit with name suggesting to IE does work in Firefox 1.0 as well, namely number 2 which crash my system.....

{QUOTE-> sorry i have problem understanding this test..........

...Also the alpha Explosit with name suggesting to IE does work in Firefox 1.0 as well, namely number 2 [Bwhich crash my system.....[/B] <-QUOTE}You have answered your own question, a vulnerability in your security was exploited that crashed your computer. Thus in certain area's of the internet you are wide open to being attacked... Answers to how to stop such exploits can be found from post number 59 onwards.

Hope this helps…

Cheers ;D

Blackspear,

1) Perfect response to iwod's Q.

2) Is it just me or are we no longer able to edit prior posts... <== Looks like for older post no editing is possible, but for recent posts you can edit your posts as I am doing to this one.

3) I was going to add the following two exploits as Alpha exploits to post #1, but I see no way to edit now... oh well have fun with the following:

Alpha exploit example E - IE Drag and Drop Vulnerability (http://freehost07.websamba.com/greyhats/longnamevuln.htm) <== proof of concept

Alpha exploit example F - IE Malformed IFRAME Remote Buffer Overflow Vulnerability (http://felinemenace.org/~nd/crash_ie/2446.html)

more info on these two here:

http://www.securityfocus.com/bid/11770/discussion/

http://www.securityfocus.com/bid/11515/discussion/

enjoy 8)

{QUOTE-> 2) Is it just me or are we no longer able to edit prior posts... <== Looks like for older post no editing is possible, but for recent posts you can edit your posts as I am doing to this one. <-QUOTE}Nope it’s just you ;) ;D Kidding ;D You can’t edit a post over 7 days old, otherwise people go back and edit posts and a thread suddenly makes no sense ;) ;D


{QUOTE-> 3) I was going to add the following two exploits as Alpha exploits to post #2, but I see no way to edit now... oh well have fun with the following:

Alpha exploit example E - IE Drag and Drop Vulnerability (http://freehost07.websamba.com/greyhats/longnamevuln.htm) <== proof of concept

Alpha exploit example F - IE Malformed IFRAME Remote Buffer Overflow Vulnerability (http://felinemenace.org/~nd/crash_ie/2446.html) <-QUOTE}Ahhh you'll have to do better than that to get past my security. 1st link comes up as “Done” and nothing happens. The 2nd link just says “No Object Found” ;) ;D

Come on, you gotta make them harder... ;) ;D

Cheers ;D

Blackspear,

looks like ur defenses are in good shape - congrats

if you want a kick in the pants and a reminder of why you switched browsers, dust off your IE and try it again, that second link has a bunch of nice things it tries to do looking at the proxo log window...

saving grace for IE users would be SP2 and alternative defenses...

___________________________

I wonder if management here could make an exception so I can continue to edit post #2 - doubt it - so additional alpha exploits will have to be posted like E & F...

not a big deal either way ;)

{QUOTE-> Nope it’s just you ;) ;D Kidding ;D You can’t edit a post over 7 days old, otherwise people go back and edit posts and a thread suddenly makes no sense ;) ;D


Ahhh you'll have to do better than that to get past my security. 1st link comes up as “Done” and nothing happens. The 2nd link just says “No Object Found” ;) ;D

Come on, you gotta make them harder... ;) ;D

Cheers ;D <-QUOTE}
Blackspear
on the first link,I couldnt move the carrot anywhere and the second link it said No Object found.what should I have seen on the first link,i did see the garden,what does that mean.I take it the second test was ok.How about the first link?I'm ignorant about these tests ;D

{QUOTE-> looks like ur defenses are in good shape - congrats <-QUOTE}Indeed they are, and a big thank you to yourself and Kye-u ;D ;D ;D


{QUOTE-> if you want a kick in the pants and a reminder of why you switched browsers, dust off your IE and try it again, that second link has a bunch of nice things it tries to do looking at the proxo log window...

saving grace for IE users would be SP2 and alternative defenses... <-QUOTE}Just tried that, still my defenses kicked in, though they went berserk this time, Spyware Guard pounced, as did Prevx and Process Guard. It still didn’t get past, but not as good as using Firefox ;) ;D


{QUOTE-> I wonder if management here could make an exception so I can continue to edit post #2 - doubt it - so additional alpha exploits will have to be posted like E & F... <-QUOTE}I shall ask…

Cheers ;D

{QUOTE-> i did see the garden,what does that mean.I take it the second test was ok. <-QUOTE}That's just fine, it means you passed.

{QUOTE-> How about the first link?I'm ignorant about these tests ;D <-QUOTE}Again you passed. Unless you want to make your heart race, I'd leave it alone in IE ;) ;D

You appear to have good security Rita ;D

Cheers ;D

{QUOTE-> That's just fine, it means you passed.

Again you passed. Unless you want to make your heart race, I'd leave it alone in IE ;) ;D

You appear to have good security Rita ;D

Cheers ;D <-QUOTE}
thanks for replying blackspear :)

{QUOTE-> Indeed they are, and a big thank you to yourself and Kye-u ;D ;D ;D


Just tried that, still my defenses kicked in, though they went berserk this time, Spyware Guard pounced, as did Prevx and Process Guard. It still didn?t get past, but not as good as using Firefox ;) ;D


I shall ask?

Cheers ;D <-QUOTE}

Thank You for passing it on... ;)

Also Thanks for the edit follow-up.

{QUOTE-> thanks for replying blackspear :) <-QUOTE}My pleasure Rita ;D


{QUOTE-> Thank You for passing it on... ;)

Also Thanks for the edit follow-up. <-QUOTE}My pleasure PB, any time I can help you it is indeed a great pleasure, yourself and Kye-u are what taught me about taking my security to the next level. I now run a very tight ship, and it is simple to install, use and maintain.

Again many thanks...

All the best.

Cheers ;D

In my next update I may add the following Browser privacy test:

http://www.anonymizer.com/tr.cgi?f=site_home_20040721&a=free_privacytest&jt=privacytest/2.0/privacytest.cgi?test=1

Pretty cool... 8)

BTW... the answer is not necessarily to buy the stuff at the site where this test takes place.

The test actually pulled fake data from me on one test, when they were able to pull anything, most of the tests 5 of 8 came up empty handed; they got my IP address. No big deal - at all. ;)