If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.So: No, surfing with MSIE is still not safe.
References* CVE-2006-3730 * USCERT note 753044 * Microsoft security advisory 926043
Defenses
* Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder. * Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites) * Set the killbits: {844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} * Keep antivirus signatures up to date. * Keep an eye out for a patch from Microsoft. * ...</blockquote>
http://isc.sans.org/diary.php?storyid=1741
Here’s the MS Security advisory link:
http://www.microsoft.com/technet/security/advisory/926043.mspx
There’s a pattern here with malware pushers releasing exploits just after Patch Tuesday to maximize time availble for attacks before the next patch cycle one month later:
"There is more than one thing going on right now in terms of zero-days," said Ken Dunham, director of the rapid response team at VeriSign's iDefense. "The timing of these attacks and exploits is designed to be a thorn in the side of Microsoft." Some security watchers have started to coin the term "zero-day Wednesday."
Hi FwF,
Can you see the pattern here? Is this too far-fetched or when the new one is zeroing in, MS security recognizes it, while others still fly in the dark. Could not it be that MS is “foofighting” other av-vendors in this way to position their total security better, andso to eventually to be able to move in for the kill??? I will go on use Flock for the moment. If all prior IE 7 is so insecure, why don’t they make it mandatory to upgrade to IE 7, well that moment is nearing i.m.h.o.
This leak: http://www.us-cert.gov/cas/techalerts/TA06-270A.html was found up by H.D. Moore, only to cause a DOS-attack, but now leading to complete remote control. For a patch we have to wait for MS to come out with one.
polonus
http://www.betanews.com/article/ZeroDay_Windows_Shell_Exploit_Emerges/1159555943
Secunia have rated it ‘extremely critical’:
http://secunia.com/advisories/22159/
Please note, as with the VML exploit, if you have Win2000 or earlier, MS is not going to fix this for you: get Firefox or Opera now!
Hi FwF,
There is a small number of cases where legitimate ActiveX controls from Microsoft and third parties were marked as “safe for scripting” (a programming term meaning that other programs can use them in scripting applications) even though these controls performed potentially dangerous operations and their access should have been restricted. That is what is hunting us now.
To blame ActiveX as such is a much found argument to declare IE insecure, but this is only so to a certain extent. To have the browser so deeply embedded in the OS is another reason for it being a main vector of malware. Browsing inside a VM might be an escape route in the future for this predicament we are in here with an obsolete IE6. People should upgrade to IE7 or indeed use a browser with a smaller platform (FF, Flock, Opera) with in-browser security set high.
polonus
Rise and shine. This vulnerability is being actively exploited in the wild.
http://isc.sans.org/diary.php?storyid=1747&isc=770332301989948acd4d184fd313c617
We've now verified that this works pretty well on fully patched XP SP2 (yes, including the VML patch). It installs at least a rootkit, so I'm not going to share the exact URL, but it's along the lines of http://xxxxxxxxxx.biz/dl/slide499.html.The fact that I only found it on one web site so far is immaterial … these guys have a well established distribution model, with many adult/ warez sites acting as lures, and it is probably on many more already.
They also like to hack into completely innocent sites, and install an iframe, thus turning them into unwitting lures, and they like to find bulletin boards that are open enough for them to insert their iframe.
The exploit is very easy to copy, so I expect this will be widely adopted.
http://explabs.blogspot.com/2006/09/webviewfoldericon-setslice-exploit-in_30.html
These (yes, there’s another one) ActiveX based attacks can be mitigated using a kill bit:
http://isc.sans.org/diary.php?storyid=1742
(Opera and Firefox do not use ActiveX and so are not affected.)
Hi FwF,
So what is our conclusion, IE at the moment is “not safe for scripting”.
Do you have any idea of the workings of ActiveX firewall against these exploits?
polonus
Cybercrooks have started exploiting a flaw in the Windows Shell only days after sample attack code for the vulnerability surfaced.
Also, a group of security professionals, calling itself the Zeroday Emergency Response Team, or ZERT, is working on a third-party fix that should be available before Microsoft's official patch, Thompson said.
http://news.com.com/Cybercrooks+add+Windows+flaw+to+arsenal/2100-7349_3-6121584.html?tag=cd.top
Websense Security Labs (TM) has received several reports of the recently released " WebView FolderIcon setSlice" Internet Explorer zero-day code being utilized on the Internet. Like the recently reported VML zero-day, there are professionals at work using the exploit code.
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=644
EDIT: The ZERT patch is out!
Determina, in Redwood City, Calif., has shipped a runtime fix for the vulnerability. It can be applied to Windows 2000, Windows XP and Windows 2003 systems and patches the vulnerable code in memory, without modifying any files on disk.The non-profit ZERT (Zeroday Emergency Response Team) has endorsed the Determina patch. The group has also released a patch called ZProtector that automates Microsoft’s recommended mitigation for Windows users.
http://www.eweek.com/article2/0,1895,2022805,00.asp
If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.Actions
We suggest following actions (do them all: a layered approach will work when one of the measures fails):* Update your antivirus software, make sure your vendor has protection for it (*). * Install following killbits (**):
{844F4806-E8A8-11d2-9652-00C04FC30871}
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
make sure you set both.
You can do this manually as in the Microsoft security advisory, by using Tom Liston’s tool, with a GPO, …* Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
We are aware of 3rd party patches, but our recommendation is to use the measures above instead.
The ZERT patch really is out now. The patch yesterday was by Determina, which means there are two unofficial patches out now:
October 2, 2006: Advisory updated to advise customers that Web sites that attempt to use this vulnerability to perform limited attacks have been discovered.
We are aware of Web sites attempting to use the reported vulnerability to install malware. Our investigation into these Web sites shows that, in most cases, attempts to install malicious software by exploiting this vulnerability fail. This is due to specific technical factors related to the vulnerability.
http://www.microsoft.com/technet/security/advisory/926043.mspx
This one is getting patched Tuesday, except, I believe, for users of Win2000 or previous versions, for whom the advice remains, get an alternative browser.
http://blog.washingtonpost.com/securityfix/2006/10/microsoft_to_issue_eleven_patc.html