On-going Internet Emergency and Domain Names

Mark Green admin at digibase.ca
Sat Mar 31 06:00:44 UTC 2007

On Friday 30 March 2007 23:05, Fergie wrote:
> -- "Steven M. Bellovin" <smb at cs.columbia.edu> wrote:
> >Jeff Shultz <jeffshultz at wvi.com> wrote:
> >> I won't discount the assertion that there is some sort of emergency
> >> occurring. I would however, like to see a bit of a reference to where
> >> we can learn more about what is going on (I assume this is the
> >> javascript exploit I heard about a couple days ago).
> >
> >No -- it's a 0day in Internet Explorer involving animated cursors --
> >and it can be spread by visiting an infected web site or even by email.
> Not that I like being in the position of correcting Steve :-) but the
> real answer is "yes" and "no" -- or ctually just yes.
> While the 0-day exploit is the ANI vulnerability, there are many,
> many compromised websites (remember the MiamiDolhins.com embedded
> javascript iframe redirect?) that are using similar embedded .js
> redirects to malware hosted sites which fancy this exploit.

Also to expand on that, if someone embeds this exploit or an iframe onto a 
high traffic site that's known to be "safe", via things like comment fields 
where HTML is allowed there's no telling the number of infections, it could 
possibly be in the hundreds of thousands of systems if an official patch 
isn't released - I hope Microsoft intends to release a patch by Monday at the 

> And some of them have vast audiences, increasing the potential
> for a major "issue" -- TBD.


> Track with the SANS ISC -- they're doing a good job of keeping the
> community abreast.
> Cheers,
> - ferg

More information about the NANOG mailing list