I'm not saying it's not real, but I'm surprised that it hasn't hit BUGTRAQ or NTBUGTRAQ yet.
It's also suspicious because they're describing an exploit that apparently is embedded inside images.
This would imply that it's a vulnerability in one of the image rendering formats, like TIFF, JPG, or GIF.
If such a vulnerability exists, it's likely that it hits all browsers, not just IE.
Another 0day? I'm getting a strange feeling of déjà vu.
Is Microsoft investigating it?
Interesting. I wonder what eWeeks "Security experts" source is. Hope Microsoft is already hard at work fixing it. Break out the whip.
Beats me, I don't work in MSRC.
I'd be surprised if they weren't, but that all depends on if this is real or not.
It also depends on if this is a new exploit or not. It might not be, there have been exploitable bugs in image decoding before.
Edit: One thing to keep in mind here: AFAIK, NeoWin.Net makes it's money by being as sensationalist as possible, so does eWeek. It's also critical for them to put news up as quickly as possible to avoid being "scooped".
Neowin in particular has a reputation of putting up news first and then verifying it.
I'm not saying this isn't real. It very well may be. But it'll be interesting to see how it plays out.
As I said before, if it was real, I'd expect that NTBUGTRAQ or BUGTRAQ would be all over this, but there's been no traffic on it so far today.
It may just be a slow day on the lists though, this could be another 0day exploit.
They almost certainly are. But, if you ever find an exploit please let us know at
email@example.com -- they do watch that alias and respond to it (I know, I've sent a few things over there).
Good point Robert. firstname.lastname@example.org IS monitored, 24x7 (we've had people report problems on Sunday morning at 1am and because we didn't respond to the vulnerability within 12 hours they assumed we weren't
listening and instead of working with MS, they just publicly announced the vulnerability).
I'm still not convinced about the reality of this one.
I looked at Netsec's web site and they don't have any information on it, which is actually good, because it implies that they're not announcing this to garner publicity for their company (this has happened before).
One of the issues with security is that for every eEye or NGSB out there, there are a bunch of people who would love to sell their products and are more than willing to cry wolf in order to increase their sales.
That's actually why I'm suspicious. Usually news of this kind of thing starts showing up on bugtraq before it hits the press.
The fact that Netsec hasn't put up a press release indicates that it's possible that they're working with MSRC to figure out what's going on. Which would be a good thing.
If it's real, there should be an announcement of some kind soon.
If this exploit uses the 'Jelmer vulnerability', fixing IIS still leaves MSIE open for someone else to exploit. Come on, either get XPSP2 out the door or fix
Hmm. Symantec has named it JS.Scob.Trojan. Are you moonlighting Scoble?
Thanks Microsoft, I was one of your biggest supporters in my organization.
Linux looks better every day, and Opera/Firebird are a slam dunk.
Vance, Come on man. When linux gets big enough the script kiddies will attack it as well. They get more bang for the buck by attacking MS right now.
True that. It's not like Linux based systems are unheard of on Bugtraq or Full Disclosure. No one is perfect (including me).
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.