Hi we open the year with a guest post from Vicente Diaz, he will participate with guest posts during this new year 2009, Welcome Vicente!
Last vulnerability in Internet Explorer 7 was a bad one, affecting all previous versions and giving little time to patch it since malware started to take advantage of it. As explained in my post at S21sec´s blog (spanish), the vulnerability was used in a massive SQL injection campaign along many other vulnerabilities affecting Real Player, Adobe Acrobat and MS Office among others.
The discovery of the vulnerability seems to be in China, rounding the dark market by mid November, but the disclosure was after MS patching Tuesday during December. However, the question of HOW it was discovered has not an easy answer ... I was reading about this at Microsoft´s blog and it is not clear at all. Even using SDL this vulnerability is not easy to spot, much more difficult without having the code (as I assume). There is not much room for fuzzers (but they might be useful), and not likely to happen just by chance, so it seems someone really took bug finding in IE 7seriously.
You see these vulnerabilities appearing from time to time, but when you stop to think about this, is really amazing. As guys at MS say, bad guys have all time in the world to look for vulnerabilities but developers have tight deadlines and limited resources. This is true, and this makes necessary the use of several layers for security, but my final thought is that bad guys are going really professional, so we still have a lot of work to do to stop them.
Last vulnerability in Internet Explorer 7 was a bad one, affecting all previous versions and giving little time to patch it since malware started to take advantage of it. As explained in my post at S21sec´s blog (spanish), the vulnerability was used in a massive SQL injection campaign along many other vulnerabilities affecting Real Player, Adobe Acrobat and MS Office among others.
The discovery of the vulnerability seems to be in China, rounding the dark market by mid November, but the disclosure was after MS patching Tuesday during December. However, the question of HOW it was discovered has not an easy answer ... I was reading about this at Microsoft´s blog and it is not clear at all. Even using SDL this vulnerability is not easy to spot, much more difficult without having the code (as I assume). There is not much room for fuzzers (but they might be useful), and not likely to happen just by chance, so it seems someone really took bug finding in IE 7seriously.
You see these vulnerabilities appearing from time to time, but when you stop to think about this, is really amazing. As guys at MS say, bad guys have all time in the world to look for vulnerabilities but developers have tight deadlines and limited resources. This is true, and this makes necessary the use of several layers for security, but my final thought is that bad guys are going really professional, so we still have a lot of work to do to stop them.
-CMM
