Monday, November 23, 2009

IE 0-day in the wild... again

As you probably know me, I'm obsessed with IE 0-day vulnerability..
Apparently there is on in the wild...

IE6 and IE7 0-Day Reported


Wednesday, November 11, 2009

drive by install... MS09-065.mspx

nasty one..

Allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font.
Windows version is affected: windows 2000, xp,... 2008 server (windows 7 & server2008R2 not).
Meaning if a victim browse to attacker website using IE, the attacker can take control of the computer...




does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.


Tuesday, November 10, 2009

take it easy

seeing is believing