[esa-l] ANN: Javascript Obfuscation patch for 1.151 and earlier

John D. Hardin jhardin at impsec.org
Mon Feb 13 09:11:27 PST 2006


All:

I've seen an email with a javascript obfuscation technique that the
sanitizer didn't detect. I've produced a quick patch to cover it. This
patch works with 1.151 and should work with earlier releases as well.

The patch is available at:

    http://www.impsec.org/email-tools/obfuscated_javascript.patch

And applying it is simple. To apply the patch, save the patch to the
directory where your sanitizer is saved (typically /etc/procmail) and
run the following command:

    patch --backup <obfuscated_javascript.patch 

Applying this patch is recommended, as the obfuscation technique was
seen in a message in-the-wild, and may be part of a currently active
attack vector.

This patch or an improved version will be in the next stable release.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
                                        -- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
 9 days until George Washington's 274th Birthday



More information about the esa-l mailing list