If at first you don't succeed; call it version 1.0
Thursday, 22 May 2008

During the past 2 weeks I got tons of questions regarding the 0day treasure hunt and the vulnerability itself. In order to make things more clear and understandable, I've compiled a list of answers for several frequently asked questions.


Q: Why do you involve politics and security?

A: I see nothing politic in celebrating my country's independence day. I'm sure you all do the same in your own country. We also play this treasure hunt game during the Passover holiday, but I thought it will more suite independence day this year. Maybe next year I'll do it earlier in Passover.


Q: Can you explain the clues? I'm not sure how they fit with the 0day treasure.

A: Sure. You can find the clues here. I'll explain each of them by their number.

  1. Obviously, the vulnerability affects Internet Explorer 7.0 and 8.0 beta. According to Secunia it also affects IE6.
  2. In order to exploit the vulnerability the user must interact with the exploit by printing the webpage and enabling the "Print Table of Links" option.
  3. The proof-of-concept code was embedded in all of the pages of the blog.
  4. The proof-of-concept was hidden as a "tracking" script that was dynamically generated in order to generate a link. This script used XMLHttpRequest to get a page that returned the main page of the blog, but with a 404 (File Not Found) status code.
  5. Acidus wrote in a blog post about the Phishing hole I found a year ago in IE7. Both vulnerabilities are within Internet Explorer "local resources". Acidus was right in that I then said that only most of the local resources are running in "Internet Zone". The 0day vulnerability is within a local resource which runs in "Local Machine Zone".
  6. Anchor = HTML anchor (<a> tag) = link. What else can you do with a link? Print it.. (I did say think "out of the box")
  7. Charles Babbage is the inventor of the printer.
  8. This screenshot is of the actual vulnerable code in the local resource script. One line of code is needed to be fixed here.
  9. First video: Print. Second video: Table. Third video: Links. ===> Print Table of Links. Simple as that.


Q: How critical is this vulnerability anyway?

A: Well, it depends. As this vulnerability requires user interaction in order to be exploited, it will surely not be used in a worm scenario. However, it still highly possible to be used in several other attack scenarios. For example, an attacker can add malicious links to massively printed user generated websites (e.g. Wikipedia, technical forums, blogs, etc.) and just wait for the victims to print those pages with the "print table of links" option (usually used to print a "references" appendix).


Q: So if that's the case, why haven't you waited a reasonable time to let Microsoft patch this vulnerability?

A: I've had bad past experience with Microsoft's response time. The last time I used their "responsible disclosure" policy, I had to wait 6 months for them to fix a one line of code in a non core component. As I've already showed, this 0day vulnerability also requires one line of code to be fixed, and I'm sure no one wants to wait 6 months for it to fix. Past experience also shows that Full Disclosure can help in getting a quicker fix. I usually do provide enough time for a vendor to fix a vulnerability.


Q: My security product (Anti-Virus/IPS/IDS) says that it detects this vulnerability. Am I safe to print pages with links?

A: Not necessarily. Even though several AV products have already added a signature to the proof-of-concept I provided (see Figure 1), they only protect you against this specific proof-of-concept. How do I know? Very simple, I just changed the proof-of-concept a little bit (the proof-of-concept still executes Windows Calculator), and tested against VirusTotal again. This time no AV product could detect it (see Figure 2). You can test the new proof-of-concept yourself here. Anyway, you should really ignore the PR guys of the security companies who simply lie when they say that their product protects against this 0day vulnerability. It doesn't. In this case, it just try to protect you against executing Windows Calculator on your machine.


0day-faq-figure1         0day-faq-figure2

Figure 1 - Several AV detect the PoC              Figure 2 - No AV detect the slightly modified PoC

Thursday, 22 May 2008 17:09:28 UTC | Comments [0] | General | Security#
Wednesday, 07 May 2008

[And the winner is: George the Greek]
Today we are celebrating, here in Israel, 60 years of being an independent country. As part of the celebration, I’m releasing a new 0day vulnerability.
One of our customs in Independence day is to play a “treasure hunt” game. In this game there is a treasure hidden somewhere in our beautiful country, and we get mysterious clues that help us find this treasure by traveling to many great sites all over Israel.
In the spirit of this day, I’ve decided not to release full details about this vulnerability yet, but rather play a little “treasure hunt” game.
Somewhere in my blog, I embedded a proof-of-concept code which exploits this 0day vulnerability. The following are some clues that will help you find this 0day treasure:
  1) IE7.0 and IE8.0b users will get pwned.
  2) An interaction with the sploit is needed.
  3) There’s no need to find the post. It’s everywhere.
  4) 404 is the way to go.
  5) Acidus was right! Local resources is the key. 
  6) What else can you do with an anchor? Think out of the box, literally.
  7) Charles Babbage is probably turning in his grave. 
  8) The following screenshot should really help you find the source of the treasure:
9) Put the videos together to find the treasure.

Every day or two I will add a new clue to this list, in a hope that by next Wednesday someone will eventually find the treasure :-)
Next Wednesday I will release the full technical details of this 0day vulnerability and the proof-of-concept code.
Until then, feel free to comment your findings. The first person who will post a comment with the proof-of-concept code and details on how to use it to exploit the vulnerability will be declared as the winner.
Now, I don’t have any laptop prize to give the winner. But, beside the credit for being the first to find a 0day treasure, I’m willing to offer the winner a free entrance to the IsraCON security conference that will take place in Israel this summer.

Happy hunting!

[UPDATE 08-May-2008] Some of you guys out there are already in the right direction, some are not. I've added 2 more clues.
[UPDATE 10-May-2008] You are getting closer. Pay attention to clue number 6.
[UPDATE 11-May-2008] Yet another clue added.
[UPDATE 12-May-2008] I've added a new screenshot clue. 
[UPDATE 13-May-2008] Last clue added (3 videos). The game will end tomorrow evening (Israel time). You still have enough time to find the treasure.
[UPDATE 14-May-2008 02:30] And we have a winner! details soon...
[UPDATE 14-May-2008 16:15] The winner is: George the Greek. Congratulations! Full technical details of the vulnerability are available here.

Wednesday, 07 May 2008 17:07:30 UTC | Comments [26] | General | Security#
Wednesday, 11 October 2006

I've just transfered my domain and hosting to GoDaddy. They seem very nice, and have some good domains/hosting deals.

I also decided to upgrade my dasBlog version to 1.9, which supports a redirection of RSS to feedburner.

So, from now on all my RSS feeds are automatically redirected to my feedburner's account. No need to change your subscription.

Comments, suggestions or flames about the recent changes are more than welcome :)

Wednesday, 11 October 2006 22:24:04 UTC | Comments [2] | General#
Wednesday, 07 September 2005

Finally, I got a ticket for Celine Dion's concert.
The price was lower than the TicketMaster's, and the only problem I've encountered was that I had to take a long walk from my hotel, New York-New York, to the box office at the Caesars Palace hotel, while the outside temperature was over 39 degrees Celsius.

It worthed the sweat. I got an excellent seat in the middle of on one of the front rows.
As the nice old lady at the box office told me: "Well, there is at least one advantage of going to the concert alone..." ;-)

Wednesday, 07 September 2005 22:08:19 UTC | Comments [0] | General#
Sunday, 04 September 2005

Blogging from the air is not something bloggers usually do. I'm very happy to have the opportunity to do so.
I'm writing this post 11km up in the air, in a Lufthansa air flight on our way to Los Angeles.
One and a half hour before we land , we've just passed Denver.
Having an Internet connection on a flight is a great time killer, especially after over 14 hrs of flight from Israel.

As you've already know, I'm on my way to one week of vacation, and then to the PDC conference.
Unfortunately, I couldn't buy the ticket to Celine Dion's concert through TicketMaster. I didn't know I had to buy the ticket 10 days before the concert. :(
I hope they'll still have good seats left when I'll get to Vegas.

Mean time I hope to enjoy LA the same as my last visit.

Sunday, 04 September 2005 19:48:52 UTC | Comments [0] | General#
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.