Fun With window()
I finally found a few sites with the window() javascript exploit that are a shameful ripoff of the exploit code you can find at FRsirt or Security Focus. Gee, thanks kind folks at FRsirt and Security Focus!
Anyway, if you use a limited account and NTFS partition then you are at no risk. At least the pool of sites I have been to weren't able to touch me. This exploit has been fixed in the latest batch of IE updates, you should go grab it now.
I decided to see if I could clean up an infected machine rather than cheat with virtual machine's undo disk feature. I loaded up the unpatched XP SP1 virtual machine and proceeded to an exploit site to get infected. Afterwards, I proceeded to cleanup. All was going well except one anti-virus and two anti-spyware scans later there was still some cleaning up to do. When I rebooted, the following error had appeared (click to enlarge):
Turns out that the Documents and Settings folder was unreadable. But my question is this: Do you really trust a computer that had been compromised? Are you sure it had been cleaned thoroughly?
My answer to both questions is "No." As a limited user, you could simply delete your profile's folder to allow the system to create a fresh profile. Limited accounts are contained that there is no way (and if an exploit will even bother to launch in a restricted user) an exploit can drop shortcuts or run commands in areas that are executed by all accounts, administrator or otherwise.
If you get compromised in an account with administrator privileges, you probably have more to worry about. The exploiter can simply replace "Default User" (the profile used for when accounts are created and logged onto for the first time) with his own version or drop files in "All Users." So even if you create a new profile you'll still have it.
So much to the people who think malware dictates their usage negatively into using least privilege (read: would rather use resource hogging programs).
Anyway, if you use a limited account and NTFS partition then you are at no risk. At least the pool of sites I have been to weren't able to touch me. This exploit has been fixed in the latest batch of IE updates, you should go grab it now.
I decided to see if I could clean up an infected machine rather than cheat with virtual machine's undo disk feature. I loaded up the unpatched XP SP1 virtual machine and proceeded to an exploit site to get infected. Afterwards, I proceeded to cleanup. All was going well except one anti-virus and two anti-spyware scans later there was still some cleaning up to do. When I rebooted, the following error had appeared (click to enlarge):
Turns out that the Documents and Settings folder was unreadable. But my question is this: Do you really trust a computer that had been compromised? Are you sure it had been cleaned thoroughly?
My answer to both questions is "No." As a limited user, you could simply delete your profile's folder to allow the system to create a fresh profile. Limited accounts are contained that there is no way (and if an exploit will even bother to launch in a restricted user) an exploit can drop shortcuts or run commands in areas that are executed by all accounts, administrator or otherwise.
If you get compromised in an account with administrator privileges, you probably have more to worry about. The exploiter can simply replace "Default User" (the profile used for when accounts are created and logged onto for the first time) with his own version or drop files in "All Users." So even if you create a new profile you'll still have it.
So much to the people who think malware dictates their usage negatively into using least privilege (read: would rather use resource hogging programs).
posted by Info Programing at
11:50 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home