1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

This is kind of scary....

Discussion in 'Computer Security' started by ffreeloader, Oct 29, 2007.

  1. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    It seems IE will happily ignore all 0x000 bytes located between other characters, and render the code it separates. Also, most, if not all, antivirus products will not catch this either. It seems this exploit has been around for a long time too. For more info take a look at the following link.

    This means all a malware writer has to do to hide his code from both IE and current AV products is to place multiple 0x000 bytes between the characters of his scripts, and IE will run the script while the AV that should catch it does nothing.

    http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  2. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    thats why I don't use IE :D
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  3. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    This is also one reason I don't use MS products, period. There are a lot of unpatched holes that MS has allowed to exist in all their products, even though they have known about them, for years. This is just one example of this kind of stuff.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  4. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    According to the feedback on that page, FF will also ignore one zero byte, though any more and the page will not render properly. We have no futher information to make valid comparisons regarding how other browsers deal with this specific issue.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  5. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    I was always told IE had lots of holes and using FF would minmise the amount of holes in a browser although I am aware not everything can be 100% but I would take 90 over 80 if you know what I mean.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  6. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Most AV's will catch the malware if it has only one 0x000 byte between characters though. The major problem is the multiple 0x000 bytes between characters, and IE still being willing to render the code.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  7. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Don't get me wrong Freddy, I am not saying IE is safe, far from it. I am just saying that we have no reliable info that relates to how other browsers deal with zero Bytes. FF we are told will parse one zero byte without blinking but what about Opera? Safari? etc.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  8. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I don't really know. But I do know that these browsers were all designed with a lot more thought towards security than IE was.

    This is as big a problem for the AV companies as it is for MS in my eyes. They have known about this and done nothing to close it either.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  9. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,282
    73
    152
    I have to yet have a problem in IE. I've been using it since 99.
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  10. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    I would rather be safe than sure but I also don'tt like the way IE looks.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?

Share This Page

Loading...