Browser exploit tests & alternative defenses

Re:IE vulnerabilities alternative defenses

What version of Sun Java are you running?

Also if you get a chance please answer the post put to Libbo1:

url repaired==bigc

 

Re:IE vulnerabilities alternative defenses

I am running an old version of Sun Java J2SE 1.4.1.03. With Mozilla Firebird 0.7 (nightly build 10-1-2003).

Exploit 4 - Opens up a 'save as' dialog requesting to download foobar.exe. I clicked cancel. In the browser window a black box appears in the upper left and that is it.

Exploit 5 - I believe this is the one where u click on the link and it opens up notepad or something. I clicked on the link and notepad didnt open. Instead I got an 'alert' dialog with a string of random characters... and ending with "could not be found. Please check the name and try again."

Exploit 7 - No file was created on my computer. I also received a dialog saying the sites security certificate has expired and if I should accept or reject. I chose reject. A small gray box also is displayed in the upper left with a red 'x' in it. Nothing else happened

Exploit 9 - 'Save as' dialog opens asking if i want to save demo.doc. Firebird reveals that it is an exe despite the document icon.

Exploit 12 -

MS03-039: Test Result

The vulnerability test has been performed. Please read the result of the test below.

RESULT:
Could not connect to Endpoint Mapper(Port 135/tcp). This could be because you are behind a firewall.


Edit: Forgot the 2 Super Ads. Went to both sites. I am also using an old flash player for Firebird. Forgot the exact version but it was the latest v6. I went to both sites and while they are both littered with ads i did not notice anything particularly annoying or aggravating about the ads. I did not see any floating ads or the kind that will follow your mouse cursor or move up and down as you scroll the page. No pop-ups on the sites either. Even though I turned off Firebird's pop up blocker. Considering the amount of ads both sites loaded pretty quickly. Is there anything I should be looking for in these sites?

 

Re:IE vulnerabilities alternative defenses

Sounds like Firebird works well against these IE exploits on your system.

The only one I thought might cause you a problem was #4. In Opera 7.11 if you run with frames & in line frames enabled you get owned.

I see not even a mild burb on your system. Good job Firebird.

Vulnerabilities 1-12 should be no problem for most systems even running naked.

Sounds like Firebird handled The Superads with no problem. Again great result.

Not sure why Crockett using Firebird .6 got this result:

https://www.wilderssecurity.com/showthread.php?t=14249;start=45

But got my attention and confirmed for me why I'm waiting to try Firebird. When Firebird comes out of beta I may give it a try Opera 7.2 is a speed demon I hear Firebird is tooooooooo

What are ya packing? CPU ram anti* software etc.




repaired url's==bigc

 

Re:IE vulnerabilities alternative defenses

Well Rerun did the work for me! Same version i'm using 0.7.
Crockett's ver was 0.6. Lotta changes and improvements. I think a feature ppl really like is tab browsing, ie the ability to have numerous browsers open but in one window. Set em up to autoupdate and your favorite site is just a mouse hover away, with no need to refresh!

 

Re:IE vulnerabilities alternative defenses

Firebird 0.6.1

1-3 - nothing

4 - one download dialog box; I cancelled it, and did not recieve any other download boxes

5-6 - nothing

7 - java asked if I wanted to install the applet, I declined and that was the end of it

8 - nothing ever loaded except the gif telling me it was loading

9 - browser dialog box asking what I wanted to do with the .doc file, I cancelled, and that was that

10 - interesting, but it didn't open notepad. I saw google's source, and my win.ini source in a browser tab (that could be because I've tweaked my firebird)

11 - nothing

12 - "RESULT:
Could not connect to Endpoint Mapper(Port 135/tcp). This could be because you are behind a firewall." ...I do not have my firewall on for these tests

Extra credit from ComputerCops - I have a plugin for firebird that blocks flash unless I click on it to enable it. So no flash ads (if that was what the test was for )

 

Re:IE vulnerabilities alternative defenses

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all exploit examples and Browser security Check before answering the poll.

 

Re:IE vulnerabilities alternative defenses

Good results except for 10.

I'm using Opera, I get a 404 error when I click on the google or win.ini source on the computerbytes page from exploit 10.

You missed 1 test, under Addendum II. Browser Security Test.

Good to know Firebird is out there along with Opera (and others) as alternatives to IE.

I have not used IE since switching to Opera.

I'm not totally convinced these browsers are not exploitable, I'm guessing if the same effort to exploit were thrown at either, we would still have a smile but it may not be as broad.

 

Re:IE vulnerabilities alternative defenses

#10 didn't concern me too much since it just did a view source that showed up in a browser tab. I'm just glad it wasn't able to force a program open

OOPS on the "Browser Security Test"; actually I did start it, but it quit working after loading that 900GB page LOL. I forgot to add that to the report since it stopped working. Now it won't run because I'm killing pops, I turned off that option LOL, guessing I have that configured elsewhere too, but forgot about it.

I agree with you on the "if the effort were put to these browsers" thoughts. It's probably just a matter of time, when more switch over. Hope I'm wrong.

 

Re:IE vulnerabilities alternative defenses

Looks like M$ (Microsoft) is taking security issues and raising to the critical level of importance where it belongs. This observation is based solely on their efforts recently to patch their products and address known vulnerabilities (see note from PrivX Solutions below). Past history indicates a definite move toward addressing all known vulnerabilities.

Microsoft is a big target.

They need to continually provide user incentive to upgrade in order to stay in business and generate revenue. Can't fault them for this.

Interesting to me to see Microsoft maligned as being evil in some camps. Also interesting to see those trying alternatives struggle with what Microsoft makes so easy and transparent for the average user.

http://www.wilderssecurity.com/showthread.php?t=14574

IE browser for me is dead (though unfortunately I still need to keep it on my system due to tight integration with the OS). I'm running Opera and using M2 for mail client, and am very pleased. I think I can safely dump Netscrap 4.7 (my backup to IE). I will try Firebird once it comes out of beta. I'm still running Win9x, and it performs well. Waiting on Longhorn (2006?) could be a while.

I will continue to update my poll test list here, but since switching to Opera I am finding greater peace of mind on the security issue, and I don't have to worry about updating those IE patches.

**************************************

excerpt note from PrivX Solutions:

http://www.pivx.com/larholm/unpatched/

... Recently, we have seen a sea change in Microsoft?s commitment to rid its IE browser of the vulns that PivX Solutions and other third party researchers have identified. Given Microsoft?s recent positive actions together with the current rise in attacks against IE we have agreed to give Microsoft a good faith reprieve and have taken down our ?Unpatched? page. This was done in both a spirit of cooperation and for the good of the internet as a whole. As the ubiquitous browser that is utilized to access the internet, we all depend on IE too much to have crooks, social deviants, malcontents and crackers from messing with our lifestyles and our livelihoods. ENOUGH IS ENOUGH! ...

 

Re:IE vulnerabilities alternative defenses

2/11/04 update = Addendum IV:

added 3 new IE exploits

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 18 exploit examples, and Browser security Check before answering the poll.


Also see important Admin Note from LowWaterMark


Enjoy!

 

Re:IE vulnerabilities alternative defenses

2/11/04 update = Addendum IV:

added 3 new IE exploits

See page 1 of this thread, message area 1 of this poll for all 18 exploit examples, and Browser security Check before answering the poll. [hr]


My result thru Addendum IV exploits:

Poll response #6 - I defeated all 18 exploits + the 30 exploits from the Browser security check.

using alternative Browser & Scott's triangle

 

3/20/04 update = Addendum V:

added 3 new IE exploits plus eicar AV test

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 22 exploit examples, and Browser security Check before answering the poll.
[hr]

My result thru Addendum V exploits:

Poll response #7 - I defeated all 22 exploits + the 30 exploits from the Browser security check.

using alternative Browser, Scott's triangle, and Good AV & Firewall protection

 

Just ran across this nice little exploit will add it here for now:

File Download Extension Spoofing

After you have clicked the link above:
If your Internet Explorer/Opera is vulnerable to this issue, a "File Download" dialog box will be displayed with the field "File name" or "File" being spoofed to be a .pdf file.

If you choose "Open" in the "File Download" dialog box, the file will be executed as an HTML executable instead of being displayed with your favorit PDF viewer. This happens even though the filename seems to be "Secunia_Internet_Explorer.pdf" or "Secunia.pdf".

[hr]
Solution:
1) Do not use "Open" file, always save files to a folder as this reveals the suspicious filename.

2) or if you use Proxomitron:

Computer Cops forum Proxomitron ref for filter below

Mizz Mona: has written a Header filter which allows you to see the actual file name & recommends a "no" for open request <--- Note: I tried this filter, and the one by Proxfox, both work, but the one from Mizz Mona is cooler

In = TRUE
Out = FALSE
Key = "Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] [Mizz Mona] (in)"
Match = "\1{\2}\3&$ALERT(*** WARNING ***\nIE Attachment-Spoof Exploit Detected!\n\n\1{\2}\3)($CONFIRM(Allow only the attachment below? (Safest action= NO)\n\n\1\3)|$SET(1=\k)$SET(3=))"
Replace = "\1\3"

[hr]
more info here:

http://secunia.com/advisories/10736/

&

http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/

 

4/3/04 update = added 8 exploit examples

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 30 exploit examples, and Browser security Check before answering the poll.

If you defeat all Exploit examples and Browser security tests, send me (peakaboo) a PM and I'll add you to S² (S squared or Secure Surfer) shown at the end of the Exploit Examples page 1, message area 1 (1st posts)

All Browser makes & models are welcome. Put up all your defenses!

*** if you have trouble stealthing your IP address (Exploit Examples 2, 5, & 7) and you run proxomitron PM me, and I'll point you to some stealthing info - u r 5 min or less away from a stealth IP addy***

Also see important Admin Note from LowWaterMark


Enjoy!

 

Peekabo

ok I'm game for the test.....will go them all.....using IE..firewall..anti-virus....an my own made block list.......

 

Nope....canceled test......wont go to lockdown website......my pref not to

 

Re:Browser exploit tests & alternative defenses

Anyone who has a problem with lockdown - just skip those 5 tests, vote, and post your results saying you skipped Lockdown tests.

The lockdown exploits are clearly marked (exploit #1, 3, 5, 7 & 8 ).

The Lockdown exploits are easy to defeat. I understand this is not the issue; but rather due to past perceptions and or issues, some may choose not to go to their site.

Personally I feel those 5 tests are pretty good, and if my pc were vulnerable I sure would like to know sooner rather than later, so I could attempt to do something about it before getting owned.

_____________________________________________

so again:

4/3/04 update = added 8 exploit examples

See page 1, message areas 1 & 2 (1st & 2nd posts) of this poll for all 30 exploit examples, and Browser security Check before answering the poll.

If you defeat all Exploit examples and Browser security tests, send me (peakaboo) a PM and I'll add you to S² (S squared or Secure Surfer) shown at the end of the Exploit Examples page 1, message area 1 (1st posts)

All Browser makes & models are welcome. Put up all your defenses!

*** if you have trouble stealthing your IP address (Exploit Examples 2, 5, & 7) and you run proxomitron PM me, and I'll point you to some stealthing info - u r 5 min or less away from a stealth IP addy***

Also see important Admin Note from LowWaterMark


Enjoy!

 

Re: Browser exploit tests & alternative defenses

I wrote a Proxomitron Security Pack for all Browsers ^_^

http://www.kye-u.com/proxo/downloads.php?id=cfgpacks

You can download it from there. Please consider signing up on our forums too! We need more members.

 

Re: Browser exploit tests & alternative defenses

I took a quick look at the filters, while I'm no security expert, I don't think the filters in there are useful. Many of them address exploits that are patched already, while some are far too specific and won't capture even the slightest variant of the same track.

 

Re: Browser exploit tests & alternative defenses

kye-u,

Welcome to this thread. I appreciate your contribution. Also good to see your forum back. I will be visiting again always good to get the latest proxo tweaks and share.

For those who are interested, the following is a list of exploits which kye's filter is targeting. I can personally vouch for the following filter in your pack:

"Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] [Mizz Mona]

as post #38 above indicates - it is a sweet filter - thanks for including in your pack.

When I get time, I'll take a look at the rest. Keep up the good work.

Final thought is one of the best defenses against exploits is to stop using IE and instead pick an alternative browser and make it your default browser.

http://www.newsforge.com/article.pl?sid=04/07/01/123233
________________________________

from kye's filter pack:

## Kye-U Security Pack
##

[HTTP headers]
"Content-Disposition: File Extension Exploit [Kye-U] (In)"
"Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] [Mizz Mona] (in)""Location: Local Resource Exploit [Kye-U] (In)"
(Header: Local Resource Exploit attempt detected at \1::\2)"

[Patterns]
Name = "Block XSL Scripts"
Name = "Defuse IE6 Crash - Absolute CSS Bug"
Name = "Defuse "While-Loop" Browser Bombs"
Name = "IFrame File Exploit [Kye-U]"
Name = "Invisible Object Tag [Kye-U]"
Name = "Hide ClipBoard Contents [Kye-U]"
Name = "IE: Active Scripting Exploit [Kye-U]"
Name = "IE: Classic Folder View Exploit [Kye-U]"
Name = "IE: Cross Site Exploit [Kye-U]"
Name = "IE: CSS Exploit [Kye-U]"
Name = "IE: CSS Read Local File Exploit [Kye-U]"
Name = "IE: Cross-Domain Policy Exploit [Kye-U]"
Name = "IE: Defuse "Form Action+" Browser MailBombs"
Name = "IE: Expose Local Files Exploit [Kye-U]"
Name = "IE: File Download Error Message Exploit [Kye-U]"
Name = "IE: JS Exception Exploit [Kye-U]"
Name = "IE: Local Zone Access Exploit [Kye-U]"
Name = "IE: Object Data Exploit [Kye-U]"
Name = "IE: Favorites Read Exploit [Kye-U]"
Name = "IE: Restricted Cookie Exploit [Kye-U]"
Name = "IE: Search-Pane Exploit [Kye-U]"
Name = "IE: showHelp() Exploit [Kye-U]"
Name = "IE: Spoofed Address [Kye-U]"
Name = "IE: Status Bar Spoof Exploit [Kye-U]"
Name = "IE: Target Frame (Prevents Third-Party Frame Injection into Microsoft) [Kye-U]"
Name = "IE: View-Source Exploit [Kye-U]"
Name = "IE+XP: Kill & Alert HCP Links"
Name = "IE5/Opera Exploit (IMG SRC)"
Name = "IE5 Exploit (FORM Big Size Input)"
Name = "Mozilla: Java Crash Bug [Kye-U]"
Name = "Mozilla: Javascript Exploit [Kye-U]"
Name = "Mozilla: Arbitrary Script Execution Exploit [Kye-U]"
Name = "Mozilla: 0-Width GIF Exploit [Kye-U]"

 

Re: Browser exploit tests & alternative defenses

Updated the pack once again: http://www.kye-u.com/proxo/forums/index.php?showtopic=131&st=0#

Glad to see you so active and dedicated to this topic ^_^

And can you tell me where to find more information on tests #16, 20 and 25? Thanks!

 

Re: Browser exploit tests & alternative defenses

Kye, see post #17 (first page of this thread). It should provide reference info. for most of the exploits if available.

Appreciate your adding the update link.

I can appreciate what you are doing, because I know that when someone grows accustomed to a certain browser version, sometimes they just don't want to move away from that version if there is another viable solution (depending on the nature of the security issue). This applies not only to IE but to the Browser alternatives too.

 

Re: Browser exploit tests & alternative defenses

Must've overlooked that part...thanks ^_^

BTW:

Pack Updated: July 15, 2004 - 6:17 PM EST

http://www.kye-u.com/proxo/forums/index.ph...=10&t=131&st=0#

-Fixed False Matching Filter (IE: Active Scripting Exploit [Kye-U])

 

Re: Browser exploit tests & alternative defenses

Opera version 7.52