Microsoft said it is investigating reports that a new exploit is going around that takes advantage of an unpatched security hole in Internet Explorer 7.

The SANS Internet Storm Center, which tracks hacking trends, said today that while the exploit does not appear to be widely in use at the moment, that situation is likely to change soon, since instructions showing criminals how to take advantage of this flaw have been posted online.

SANS emphasizes that this vulnerability is not one that was fixed in the massive bundle of patches that Microsoft issued yesterday. It is not clear what steps users can take to protect themselves against this threat, other than to browse the Web with something other than IE, such as Mozilla Firefox or Opera. This appears to be the type of vulnerability that could be used to give attackers complete control over an affected system merely by convincing users to browse to a specially-crafted hacked or malicious Web site.

According to SANS, the exploit works against fully-patched Windows XP and Windows 2003 systems with Internet Explorer 7.

http://voices.washingtonpost.com/securityfix/2008/12/exploit_for_unpatched_internet.html

IE7 XML parsing zero day exploited in the wild

http://blogs.zdnet.com/security/?p=2296

In-the-wild attacks find hole in (fully-patched) IE Hardened browser pwned

http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/

Will Avast protect us from this?

[b]Is there a new remote data execution exploit for IE7?[/b]

All that anyone knows for certain as of today is that there are some browsers that appear to be the victim of new attacks using a very old profile: embedded binary code for graphic objects appearing in IE7 Web pages.

In a security advisory issued yesterday, Microsoft acknowledged that its security team is investigating reports of a new data execution prevention exploit in Internet Explorer 7 that was not addressed during the previous Patch Tuesday cycle, though it stopped short of explicitly saying such an exploit actually exists.

The advisory says the company is aware of certain attacks, though the way it said so implied that Microsoft learned of these attacks through customers, not through research. Security firms that have contacted BetaNews thus far also appear to have been caught off-guard, saying only that their respective security products deliver full protection against the problem…whatever it is.

Once again, the best clue we have as to the nature of the problem lies in Microsoft’s suggested workarounds for customers, which it says will protect them from experiencing the attacks’ known symptoms. The number one measure it suggests customers should take is to set both Internet and Local Security zone settings (through the Security tab on the Internet Properties control panel) to High prior to running any page that uses an ActiveX control or Active Scripting.

http://www.betanews.com/article/Is_there_a_new_remote_data_execution_exploit_for_IE7/1229012489

I think WebShield should catch it.

I think WebShield should catch it

( ((
\ =
___ `-\
())( -— Webshield!
()) _
())
())____/----

[b]Chinese researchers inadvertently release IE7 exploit code[/b]

Chinese security researchers have admitted that they inadvertently released code that might be misused to exploit an unpatched Internet Explorer 7 vulnerability.

Scripts to pull off the trick were already on sale in underground forums before the inadvertent release. Even so, anything that increases the likelihood of digital delinquents getting their hands on the exploit is unwelcome.

VeriSign’s iDefense security division reports that attack code was up for sale at prices of up to $15,000 through underground forums. Prices are likely to slide following the escape of assault code from labs run by KnownSec.

Security tools firm eEye reckons the flaw has been the target of exploitation since 15 November.

According to iDefense, KnownSec made the code available after failing to realise that last Tuesday’s Microsoft bulletins failed to fix the underlying vulnerability behind the bug, which revolves around IE7’s handling of malformed XML tags. A explanation of what happened by KnownSec (in Mandarin) can be found here.

The flaw affects XP and Vista users, and creates a means to load Trojans or other forms of malware onto even fully patched Windows boxes simply by tricking surfers into visiting maliciously constructed websites. Thus far the attack method has been restricted to delivering game password stealers, the Internet Storm Centre reports.

Microsoft is investigating reports of attacks and considering its options. The timing of the attack in the run up to the holiday period and just after a bumper batch of eight bulletins suggests an out of sequence patch might be on order before the next scheduled Patch Tuesday, on 13 January.

http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/

Hi FwF,

As you read here: http://forum.avast.com/index.php?topic=40843.0 only 4 av scanners detect the second exploit at the mo. Advised to disable JS for IE7 and install DEP, or refrain from using IE until patched for this, and use Fx with NoScript,

pol

Thanks igor

[b]IE zero day bites broader group of users[/b]

Misconceptions about root cause also exposed

Researchers are warning that the unpatched security vulnerability in Microsoft’s Internet Explorer affects more versions of the browser than previously thought, and that steps users must take to prevent exploitation are harder than first published.

According to an updated advisory from Redmond, the bug that’s been actively exploited since Tuesday bites versions 5.01, 6, and 8 of the browser, which is by far the most widely used on the web. A previous warning from Microsoft only said that IE 7 was susceptible to the attacks. IE is susceptible when running on all supported versions of the Windows operating systems, Microsoft also says.

What’s more, while there is some protection from Vista’s User Account Control, the measure doesn’t altogether prevent the attack, according to this post on the Spyware Sucks blog. Microsoft and others have suggested that those who must use IE in the next few weeks set the security level to high for the internet security zone or disable active scripting. These are sensible measures, but they don’t guarantee you won’t be pwned, according to this post from the Secunia blog.

Secunia goes on to revise what it says is the cause of the vulnerability. Contrary to earlier reports that pinned the blame on the way IE handles certain types of data that use the extensible markup language, or XML, format, the true cause is faulty data binding, meaning exploit code need not use XML.

Microsoft has yet to say whether it plans to issue a fix ahead of next month’s scheduled release. For the moment, the volume of in-the-wild attacks remains relatively modest and limited mostly to sites based in China. But because attackers are injecting exploits into legitimate sites that have been compromised, we continue to recommend that users steer clear of IE until the hole has been closed.

Plenty of other researchers have weighed in with additional details about the flaw. Links from SANS, Sophos, and Hackademix here, here and here.®

http://www.theregister.co.uk/2008/12/12/ie_zero_day_misconceptions/

[b]Microsoft: Big Security Hole in All IE Versions[/b]

On Wednesday, Security Fix warned readers about a newly-discovered security hole in Internet Explorer 7. I’m posting this again because Microsoft now says the flaw affects all supported versions of IE, and because security experts are warning that a large number of sites are being compromised in an effort to exploit this vulnerability and install malware on vulnerable systems.

http://voices.washingtonpost.com/securityfix/2008/12/microsoft_big_security_hole_in.html

I don’t like to be the bearer of bad news, but AV detection is poor:

And don't count on your anti-virus program to save you from these types of attacks. A scan of the exploit being served up by several of the hacked sites produced atrocious results: VirusTotal.com reported that only four out of the 32 anti-virus programs it used to scan the malware detected it as malicious or suspicious.

The article has advice on mitigating the threat from MS, and BK also gives his own advice.

Is it a threat at all - there are some disenting voices raised here http://www.betanews.com/article/What_we_suddenly_dont_know_about_the_new_IE_exploit/1229095960

Just how many online news sources have to repeat a piece of information before it becomes, by default, true? That's the question faced by literally everyone, including BetaNews, who reported on Microsoft's revelation earlier in the week of what was believed to be the existence of new attacks affecting its Web browsers.

Hi essexboy,

Would you expect another policy? Apparently there is crash code and nobody knows the full ramnifications of it at the moment. Later when there is a patch, all can play it down and minimize the implications. There is a term for such an attitude: “Security through obscurity”. Millions of victims from an exploit by a browser with an 80% platform worldwide - nothing wrong?

polonus

The BetaNews story refers to the Secunia blog:

Internet Explorer Data Binding 0-Day Clarifications 12:25 CET on the 12th December 2008. Entry written by Carsten Eiram.

As everyone using Internet Explorer hopefully are aware of, then there’s a new 0-day circulating. There has been a lot of confusion as to both the problem cause and the browser versions affected, but in this blog, I should be able to sort it all out.

Basically, this vulnerability was initially reported by everyone (including ourselves) as an XML processing vulnerability in Internet Explorer 7. PoCs and working exploits were immediately made publicly available by various sources and security vendors were quick to report that their products were successfully detecting attacks. But were they really?

My team and I take pride in delivering the most accurate vulnerability information available! In order to do so, we naturally have to go that extra mile compared to other vulnerability information providers and thus sort out the real cause of a vulnerability, filling in any blanks in the process. Naturally, nice Christmas postcards sent to our office as thanks or alternatively an Xmas beer cheers for us are most welcome.

After having published our initial advisory concerning this 0-day, one of my guys was therefore tasked with figuring out the exact nature of the problem. It turned out that a lot of available information and assumptions were wrong. Assumptions usually are, which is also why my department treasures the saying: “Assumption is the mother of all fuck-ups” (and people claim nothing good ever came out of a Steven Seagal movie)…

Yesterday, I therefore gave Microsoft a heads-up about this and then had our advisory updated accordingly. A binary analysis was also provided to the security vendors on our BA service to ensure that their signatures actually do catch attacks. Over night (Danish night that is), Microsoft updated their advisory to reflect this new information.

To clarify three common incorrect assumptions about this vulnerability:

Assumption: Only Internet Explorer 7 is vulnerable.
Correction: No, at least Internet Explorer 6 is also affected, but not by the public exploits that are currently available. According to Microsoft’s updated advisory, IE 5.01 is also affected. We have not confirmed this yet, but it seems plausible.

Assumption: The core problem is related to XML processing.
Correction: No, it’s related to data binding. Working exploits can be created nicely without using XML.

Assumption: Setting the security level to “High” for the “Internet” security zone or disabling “Active Scripting” support protects me against attacks.
Correction: Technically no. It is still possible to trigger the vulnerability. However, it does make exploitation trickier as it protects against attacks using scripting.

http://secunia.com/blog/38/

It certainly seems to be real threat.

Microsoft is talking about limited attacks (translation: we’re getting pwned all over the web. )

http://www.microsoft.com/technet/security/advisory/961051.mspx

Some good advice in the comments section at BetaNews, though:

Don't see a problem, popped over to the Microsoft page, read their advisory on how to make my version of IE8 beta 2 safe, did what they suggested. Now I will disconnect my machine from the mains, place it in the garden and wait until the panic has subsided.

;D

From the Microsoft advisory page:

Which of the workarounds should I apply to my system in order to be protected?

Based on our investigation, setting the Internet zone security setting to High will protect users from known attacks. However, for the most effective protection, customers should evaluate a combination of using the High security setting in conjunction with one of the following workarounds.

• Disable XML Island functionality

• Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL

• Disable Row Position functionality of OLEDB32.dll

• Unregister OLEDB32.dll

• Use ACL to disable OLEDB32.dll

Hi darth_mikey,

See: http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx

There are six ways of blocking access to the crash code; three ways to configure against the vulnerability; three ways to make it harder for the crash code to strike. This is indicating something, and what e will be hearing sooner or later, but for the moment I would leave IE and use another browser that does not have vulnerable code in MSHTML.dll via OLEDB etc.

pol

I guess Microsoft will have to discontinue its support of IE and announce it to everyone, telling them to use another browser. (Firefox, Google Chrome, Flock, Opera).

Wait sat…