If at first you don't succeed; call it version 1.0
Thursday, March 30, 2006

Up until today, in the wild createTextRange() vulnerability exploits were not so silent.
The need to wait more than minute, while your web browser freezes, in order to get the exploit to be executed, was too much for the victims.
Most of the victims were probably shutting down the browser manually before the vulnerability was actually got exploited.

Introducing the Next Generation of the createTextRange() exploit from Metasploit.
This exploit uses a non-CPU consuming techniques in order to get a more silent exploitation.

Now that we have a new generation of exploit out there, we can only hope MS will be fast enough to deliver an out-of-cycle security update for the createTextRange() vulnerability.

P.S. This exploit will also evade most "generic" AV and IPS detections which are mostly looking for specific tokens from the old proof-of-concept script, instead of using a real heuristic detection.


Thursday, March 30, 2006 8:57:15 AM UTC | Comments [0] | Security#
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.