html
Notable Vulnerabilities in the History
of Client-Side Attacks
To understand the present-day threat environment from client-side attacks, it will help
to understand recent history and the set of attacks that got us here. Due to its prevalence,
we??™ll again focus on vulnerabilities affecting Microsoft Windows.
MS04-013 (Used by Ibiza and then Download.Ject Attacks)
This vulnerability was a zone elevation attack that resulted in an attacker??™s HTML being
loaded in the Local Machine zone (LMZ). It was also the first widespread ???browse-andyou??™re-
owned??? attack and scared a lot of people into using Firefox. And it was the first
time Russian cybercriminals were so blatantly involved in such an organized fashion. So
it??™s important to start here.
From the security zones discussion earlier, remember that web pages loaded in the
LMZ can do all sorts of dangerous stuff. The favorite LMZ trick of 2004 was to use the
ActiveX control ADODB.Stream installed by default on Windows as part of MDAC
(Microsoft Data Access Components) to download and run files from the Internet.
ADODB.Stream would only do this when run from the trusted Local Machine zone.
Figure 15-1
Proportion of
Microsoft
security updates
addressing clientside
vulnerabilities
The actual vulnerability used in the Ibiza and Download.
Pages:
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656