News and Events

By simply enticing a user to select a malformed file, an attacker is able to execute arbitrary commands with the privileges of the currently logged-on user in Windows Explorer.

Read what causes this vulnerability and see if your system is vulnerable.

Recently, malicious attackers have started to use the Microsoft Script Encoder in order to evade Anti-virus programs that rely on text-matching for virus detection. Such encoded scripts also prevent advanced users from immediately seeing that a script may be trying to exploit a vulnerability in their browser.

The new online script decoder will quickly and automatically decode any script that was encoded with the Microsoft Script Encoder (screnc.exe).

The latest version of Internet Explorer contains a serious regression that caused it to again be vulnerable to an issue we discovered over two years ago. The regression was spotted by Georgi Guninski.

Interestingly enough, the regression is only visible when the <script> block is introduced as static HTML in the page, dynamic blocks (via document.write) are protected.

While working on a proof-of-concept exploit for the previous Opera advisory we needed to find a way to detect the victim's system root directory, in order to locate a specific resource that's required for exploitation.

Read how we solved that problem by finding a second vulnerability.

GreyMagic revealed a new critical vulnerability in the Opera browser today.

The vulnerability is a new variant of an older vulnerability GreyMagic detected in February last year. This time the "location" object wasn't sufficiently protected.

Many severe impacts arise from this vulnerability, including:

Read all about it and try the explorer-like demonstration.

GreyMagic worked closely with Opera to produce a patch, which was released earlier today.

First, a phishing-related vulnerability in the Opera web-browser. A malicious attacker is able to fool Opera into showing a fake address in its address bar. Thereby enabling identity theft, credit card scams and other attacks on unsuspecting users.

Read the details and see it in action.

The second vulnerability is yet another severe Cross-Site Scripting vulnerability in the popular Yahoo! web-based email service. It was again possible to bypass Yahoo!'s email filtering engine and inject script to an email. This vulnerability could affect over 100 million Yahoo! users who could have been attacked just by opening an email for reading.

Read all about it.

GreyMagic had detected a severe security vulnerability in both these popular services, which can allow attackers to run code of their choice by simply sending an email to an unsuspecting Hotmail or Yahoo user. When the victim attempts to read this email, the code executes and may result in severe consequences.

Such vulnerability can be exploited in many ways, including account take-over, mail reading, mail writing, address book access, worm distribution and more.

Read all about it.

GreyMagic today released three advisories, discussing vulnerabilities in the popular Adobe SVG Viewer (ASV) browser plugin. Two of the vulnerabilities are rated critical.

The first advisory, Adobe SVG Viewer Active Scripting Bypass, shows how ASV disregards the browser's Active Scripting setting, opening a way to exploit browser vulnerabilities on secure systems.

The second advisory, rated critical, Adobe SVG Viewer Local and Remote File Reading, demonstrates a way for two ASV methods to retrieve sensitive content from the user's own hard drive or remote URLs.

The last advisory, also rated critical, Adobe SVG Viewer Cross Domain and Zone Access, presents a way to access other domains and zones. Some of the impacts of this vulnerability are cookie theft, website impersonation, local file reading, local file writing and arbitrary command execution. This could lead to full control over the victim computer.

As always, all advisories contain proof-of-concept demonstrations and code.

Following GreyMagic's report to Adobe, they have issued a patched version (ASV 3.01) and made it available on the official ASV download site.

The first, Cross-Site Scripting in Unparsable XML Files, explains and demonstrates how XML files that cannot be parsed by Internet Explorer pose a risk to a site.

And the second, Script Injection to Custom HTTP Errors in Local Zone, exposes a flaw in a common function used by internal resources in Internet Explorer. Attackers can use this flaw to execute script commands in the "My Computer" zone.

GreyMagic published five new advisories today, specifying severe flaws in the new version of the Opera web browser, which was released just last week.

Three of the vulnerabilities are rated critical, as they allow full read access to the user's file system, including the ability to list contents of directories, read files, access emails and much more. They are Opera's Security Model is Highly Vulnerable, Phantom of the Opera and Opera Images.

The two last vulnerabilities are not as critical, but they're pretty severe as well. Opera exposes sensitive private information about the user by making it possible for a web site to access URLs that the user had last visited. They are Opera: What's Next and Sniffing Opera's Tracks.

Full details and demonstrations (along with a little bonus) are available at the links above.

UPDATE: Opera once again lived up to its excellent response record and released version 7.01, only 5 days after initial notification. The new version appears to fix all of the reported issues. Upgrade as soon as possible.

MS02-068 was released Wednesday. Fixing the "external" object caching flaw.

Strangely though, the vulnerability is rated "moderate". It allows reading of any cookie on any site you visit, reading of any file on your system and the execution of arbitrary commands, yet, somehow, it is rated "moderate", the second lowest possible rating. This isn't the first time Microsoft down-plays a vulnerability, only two weeks ago MS02-066 was released full of inaccuracies (which were corrected after we emailed Microsoft) that made the vulnerabilities seem much less severe.

This appears to be a new trend at Microsoft, previous vulnerabilities were correctly rated until now. Just to compare, a vulnerability we discovered in IE back in February, which could only be used to read very specific files with a very specific structure was rated "critical". It appears like Microsoft changed their minds about how severe it is for an attacker to read any of your files, and that's without even mentioning the rest of the devastating impacts this vulnerability presents.

The "clipboardData" vulnerability is, of course, still open and waiting for a patch. As well as GM#002-IE, GM#003-IE and GM#004-IE that have been waiting for around 9 months.

UPDATE: Microsoft revised its bulletin to finally read "critical", quite a leap from "moderate". Ironically, MS02-066 is still only rated "important", yet it addresses over 10 vulnerabilities that have the exact same impacts as this one.

Lack of consistency is better than downplaying the vulnerabilities though.

Microsoft released MS02-066 today. Fixing 9 out of the 11 vulnerabilities we recently discovered.

The two vulnerabilities left out of Microsoft's patch are "external" and "clipboardData," which were reported in last month's GM#012-IE advisory. One of these is still allowing full access to the "My Computer" zone, resulting in arbitrary command execution.

Hopefully, the remaining vulnerabilities will be addressed in the next few weeks. In the meantime, don't rush to re-enable Active Scripting after applying this patch.

GreyMagic released nine vulnerabilities today, eight of them rated critical.

With all of them combined, an attacker can easily steal private local documents, steal cookies from any site, forge trusted web sites, steal clipboard information and even execute arbitrary programs.

As always, full details and an online demonstration of all nine new vulnerabilities are available.

UPDATE: The advisory wrongly stated at first that IE6 SP1 is not vulnerable. However, it is vulnerable to two of the listed flaws (the "external" object and "clipboardData" object vulnerabilities). So upgrading to IE6 SP1 will not help in these cases.

The advisory and demonstration have been revised accordingly.