Thierry Zoller <Thierry (at) Zoller (dot) lu [email concealed]> writes:

>PG> No, this is an entirely new level of attack,
>"New level of attack", what makes you believe that?

Because previously you had to spam users and convince them to go to some
random web site and download who knows what (or follow a link in the spam, or
w

[ more ]  [ reply ]

Microsoft has always had links to external applications. That isn't
new.

IE protected mode doesn't protect you as much as you assume. IE-PM
protects you from drive by downloads. If you download any program
manually it is executed in normal user mode (medium integrity) or in
elevated mode (high int

[ more ]  [ reply ]

Firstly, "the sky isn't falling, the risks posed by the gadget API already
existed elsewhere in Windows generally, but this is another new attack
surface without any legacy dependencies". This is my general view on the
gadget API.

On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote:

> PG

[ more ]  [ reply ]

Dear Peter,

I have a few questions, maybe you have time to answer them.

PG> No, this is an entirely new level of attack,
"New level of attack", what makes you believe that?

PG> because it's moved the dancing
PG> bunnies problem onto the Windows desktop.
Huh ? What is different to let's say the so

[ more ]  [ reply ]

(The original article was cross-posted to a lot of lists, maybe the discussion
could be moved to vuln-dev only, unless everyone wants to see all of this
stuff).

"Roger A. Grimes" <roger (at) banneretcs (dot) com [email concealed]> writes:

>Yes, this is a "new" attack vector, but it is always game over anyway if I
>can get y

[ more ]  [ reply ]

Yes, this is a "new" attack vector, but it is always game over anyway if
I can get you to run my untrusted program. In my testing, installing
any Vista sidebar gadget results in a minimum of 3 warnings, each saying
that the code being installed could be harmful, before it is installed.
5 warnings i

[ more ]  [ reply ]

A paper has just been released on the Windows Vista's gadget API. The
abstract is as follows:

Windows has had the ability to embed HTML into itâ??s user interface for many
years. Right back to and including Windows NT 4.0, it has been possible to
embed HTML into the task bar, but the OS has alw

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://forum.smashthestack.org/viewtopic.php?id=112
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: http://firegpg.tuxfamily.org

iD8DBQFG5Hh2wWIBIgfLjmQRAu1SAJ0S0WmSqWiGb+EFfdniypgcM2axtwCfWPvz
cuqZXo9wxkmOKylReR9syLE=
=VwWh
----

[ more ]  [ reply ]

The number one request this month was "Please implement a Python shell
so I can write scripts and play with immlib features on the fly!". This
is now done. Enjoy! Next to that we continued our efforts to improve
the overall
debugging experience with two new libraries, libstackanalyze and Ero
Ca

[ more ]  [ reply ]

Good News Everyone,

The DeepSec IDSC 2007 Registration has begun at http://deepsec.net/register/

Since we've received a lot of great feedback so far, we've made some
changes to the conference since the initial announcement.

* 36 top-notch Talks instead of 26. (see http://deepsec.net/schedule/)
-

[ more ]  [ reply ]

Hallo,

if anybody has a working security or technical contact for Roper (an
European manifacturer and distributor of networking equipment), I would
be grateful.

Thanks in advance,
Stefano

[ more ]  [ reply ]

24th Chaos Communication Congress 2007: Call for Participation

24C3: Volldampf voraus!
24th Chaos Communication Congress
December 27th to 30th, 2007
Berlin, Germany

http://events.ccc.de/congress/2007/

Overview
========

The 24th Chaos Communication Congress (24C3) is the annual four-day
confere

[ more ]  [ reply ]

*************************************************
* No cON Name 2007 Congress === Call For Papers *
*************************************************

<> http://www.noconname.org/congreso2007.php <>
<> October: 11,12,13. <>

** What is No cON Name 2007 **

This congress is thought for system an

[ more ]  [ reply ]

Hey guys,

Just thought I'd shoot this out to you all and let you know that we're
doing our first round of speaker selection on Sunday the 19th.
Otherwise, we'll be accepting submissions until September 9th.

Thanks!
-David

--snip--

TOORCON 9 CFP

Papers and presentations are being accepted for T

[ more ]  [ reply ]

In effect the router is unable to process the extremely large list of
stdout k logs.

I see the same effect with "debug" only.

I think that's not a bug, its only a CPU high usage issue.

JNR.

El mié, 01-08-2007 a las 10:05 -0600, Shawn Merdinger escribió:
> Hi All,
>
> At level 15 permissions,

[ more ]  [ reply ]

Announcing Immunity Debugger v1.0

After almost a year of intensive development and internal use, we are

pleased to announce the public release of Immunity Debugger v1.0.

When we started developing Immunity Debugger our main objective was to

combine the best of the commandline based and GUI b

[ more ]  [ reply ]

Some folks have been trying to convince us to extend deadlines,
so being the sticklers we are, we said: no way... :-) But they convinced
us. So to be fair - this is a heads up for others who didn't have time
to submit. :-) We'll try to turn around the selection reviews ASAP,
before the end of Augus

[ more ]  [ reply ]

Hi All,

At level 15 permissions, when I enter "debug k" on the CLI the router
freezes immediately, requiring a manual reboot.

While not a vulnerability per se, perhaps something to keep in mind
from the fat-finger risk?

Anyone else seeing this?

Kindest regards,
--scm

Shawn Merdinger
Independent

[ more ]  [ reply ]

It is vulnerable to heap overflows.

An unsigned int and an unsigned long have the same size (4 bytes), as well as the same range (0 to 4294967295). The function 'copy_data()' takes 'data_len' as an unsigned int. The function 'memcpy()' takes its parameter as a 'size_t' which is nothing but an uns

[ more ]  [ reply ]

I think that I need a beer. I will bet that there is
someone on this list that can pinpoint my error in 15
minutes. I will find some way to get them a
beer/wine/soft drink if so.

I have found and started to exploit a stack based
overflow but am stuck with a simple error in my POC.
It
is probably

[ more ]  [ reply ]

I've been writing this exploit for IE (XP2 & Vista in scope, IE6 isn't as
there are so many other bugs in that it's pointless to target), let's call
it;
f7313c45262258a7f695c6898138e7e8

I'm currently working on upping the reliability. I'm at 80% now.

Does anybody have any decent cross thread su

[ more ]  [ reply ]

Hey man this is great work m8 hat's off to you i would strongly suggest other people take a look at this and for the bug's havn't come across any and i don't think i will just what we needed yeh there file fuzzer's and like you said toaf fuzzer.But this beat's them all hand's down.I like the way you

[ more ]  [ reply ]

Hello Sapa3a, so if I wrote called that would place a called down c:\program files\myprogram\jre\1.5.0_09 and then convinced a user to run in it "Internet Explorer" or possible Outlook, or just good old "Windows" you don't think I could exploit a vulnerability in that version?

I know with the Sun J

[ more ]  [ reply ]

Dear jfvanmeter (at) comcast (dot) net [email concealed],

Vulnerability in JRE itself can not be exploited directly. It can only
be exploited through some JAVA-enabled application, browser in most
cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in
JRE can only be exploited in case vulnerability i

[ more ]  [ reply ]

Even Sun's own installer will not remove previous versions. Even when
the security hole was that you could explicitly request a previous
version at runtime.

No sir, I don't like it.

BB

jfvanmeter (at) comcast (dot) net [email concealed] wrote:
> How does everyone feel about java being installed by vendors in a propriety

[ more ]  [ reply ]

Good question, first off :)

Hey Jfvanmeter,

> How does everyone feel about java being installed by
> vendors in a propriety path i.e. program
> files\mysoftware\bin\jre\1.4.0\ and never patching
> it.

> I ran an enterprise scan to looking for javaws.exe
> and found it in 175 unique paths. Should

[ more ]  [ reply ]

How does everyone feel about java being installed by vendors in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\ and never patching it.

I ran an enterprise scan to looking for javaws.exe and found it in 175 unique paths. Should they be held accountable for the patching of java when

[ more ]  [ reply ]

Hi All
CFP is now open for ClubHack: India's own International Hackers' Convention.
They are planning to hold the event in the month of December in Pune, India.

CFP is open from 15th July & will close on 15th Oct.
For more details check out

http://clubhack.com

Happy Hacking
RS

[ more ]  [ reply ]

winFuzz is a security researching fuzzer for windows that behaves more as a precise debugger than a normal random fuzzer. This is done by isolating points (fuzzPoints) in arbitrary files to be tested against programs and/or remote services to attempt to cause memory corruption scenarios in the form

[ more ]  [ reply ]

PacSec CALL FOR PAPERS

World Security Pros To Converge on Japan

TOKYO, Japan -- To address the increasing importance of
information security in Japan, the best known figures in the
international security industry will get together with leading
Japanese researchers to share best practi

[ more ]  [ reply ]