Code for IE exploit posted

September 17th, 2006 by Sjan Evardsson

Hackers Post Code for New IE Attack

Although the hackers are calling it a 0day exploit, it seems that it isn’t really. It is one of many that can be easily found using the AxMan ActiveX fuzzing engine. It seems that the guys over at xsec.org are trying to take more than reasonable credit for writing code to exploit a known vulnerability.

HD Moore, head of the Metasploit project was quoted in the article as saying:

“This is one of the many exploitable bugs that can be discovered using AxMan and one of the few that I didn’t include in Month of Browser bugs due to the ease of exploitation. I still have three or four left in IE that have similar impact.”

There is also a Secunia Advisory related to this exploit.

Peter Nederlof’s whatever:hover to the rescue!

April 16th, 2006 by Sjan Evardsson

Well, I found a way to do CSS2 drop-down menus and force IE to accept them. It takes a little bit of JavaScript madness created by Peter Nederlof called which forces IE to accept the :hover psuedo-class for any element (as is the spec for CSS2).

While it uses IE specific tricks to make it work, it can be done in such a way as to not break in other browsers. (In other words, the changes are only applied if the browser is IE.)

There is a handy tutorial at SEOConsultants that was incredibly helpful.

Another Firefox vs IE test

February 10th, 2006 by Sjan Evardsson

Earlier today I had a very strange request come across my inbox. An employee of another organization asked me to explain to her IT department why they were wrong in their assesment of Firefox . It seems that since they can push out Internet Explorer patches via WSUS , but not Firefox patches, they made the assumption that Firefox was less secure than IE.

We’ve all heard the arguments to the contrary over and over – including this article today. But there are still organizations where the thinking is “If the patch can’t be pushed out via WSUS, it isn’t secure.”

I realized, that perhaps there are departments (like the one to which I sent the directions below) that are either unaware of how to automate Firefox patching or are too afraid to install it in the first place to have the chance to figure it out.

No, Firefox patching doesn’t happen through WSUS (at least to my knowledge), but it can be fully automated by:

  1. Go to “Tools” -> “Options” -> “Advanced”
  2. Click on the “Update” tab
  3. Check the boxes labled “Firefox”, “Installed Extensions and Themes”, “Search Engines”, “Automatically download ….” and “Warn me if …”

Click “OK” and you’re done. Automatic updating in Firefox. Who knows, once the market share grows enough, you may be able to push Firefox patches through WSUS. Until then, however, the builtin function works great.