Published: 2006-03-17,
Last Updated: 2006-03-17 22:13:17 UTC by John Bambenek (Version: 1)
There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE. The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag. This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash. Both McAfee and Symantec have released signatures to detect this exploit. While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.
Tech, Sorry I was typing while you were answering me:
No, a firewall will NOT stop this. It’s a vulnerability in Internet Explorer.
Mshtml.dll in IE. A fully patched IE6 SP2 is vulnerable.
I assume you mean Webshield and not Netshield.
But Webshield also requires signatures to stop this, but I am a grat fan of webshield.
It can’t do miracles.
If you wish, I can point you to a POC-site with a picture that really hangs your Explorer.
No, I mean NetShield. It does not requires signatures to work.
Network Shield is a protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be also taken as a lightweight firewall (or more precisely, an IDS (Intrusion Detection System). Network Shield protects you from internet worms that spread themselves via various security holes in your system. Typicaly these kind of viruses don’t infect files but instead they attack running processes on your PC (either Windows components or some server programs like SQL Server, IIS etc.). These kind of attacks are not easily catched by ordinary antivirus during file or mail scanning. It is not a duplicate work with Standard Shield.
This reminds me of early in the WMF-exploit when I asked a similar question without any response.
And behind the scenes avast was working and one of the first to pass all the known WMF exploits.
If you are so concerned about this vulnerability in IE, switch browsers, Opera, Firefox or any non-ie based browser. I would like to hope that MS are also working on a solution to this but I don’t hear the screams about what they are doing about it.
Until MS totally remove IE from the OS integration I for one won’t be using it as any vulnerability in the browser can lead to a vulnerability in the OS.
As for “Sans says, it is just a matter of time before it get worse.” when these scripts are developed we will have to see if the web shield will detect and intercept them, until then it is speculative and you can’t easily defend against speculation.
Even the bloke who discovered the expolit is pretty sarky about IE:
This might not come as a surprise, but there appears to be a *very* interesting and apparently very much exploitable overflow in Microsoft Internet Explorer (mshtml.dll).
Yes, fine.
And I just asked a question: Is this happening now,too? Dead silence about that.
Avast have declared to speed up their detection, and I want to be safe.
Nothing more, nothing less. I trust in Avast and I want to continue with that…
Using another browser is just off-topic. 80-90 % use IE and I really don’t think you mean that Avast should say:‘Not for use with IE, use another browser’.
Avast declared that they would speed up the detection and I am just following up.
One of the guys who tried the POC declared that Norton Internet Security saved him.
Yes, we can blame MS, but I don’t think MS is the topic in this forum.
Personally I am not concerned about this at this point.
I just want to be sure that my antivirusprovider is catching up(with all the new virusanalysts installed)
“we will have to see if the web shield will detect and intercept them” you said.
But I have always believed that Webshield uses the same sigs as the rest of Avast.
I am not an enemy, just aking what I think is a legitimate question.
Silence is golden is no always the best.
I thing we live in a rare atmosphere were we generally have very good access and direct contact through the forums with the Alwil team, perhaps we have become spoilt. Somehow I doubt you would get a prompt answer to your question from any of the major AV companies, that is why many left them for avast.
Why suggesting another browser is off topic is because 80-90% use IE is neither here or there, the issue is about a 0-day exploit that directly effects IE users. So a reasonable option is to use a different browser until the exploit is closed, whether or not that is an AV solution (which will always be behind newer variants of the same exploit) or switching browsers that could be a permanent resolution of the problem.
I know which I would choose, but you must decide for yourself.
"...Using another browser is just off-topic. 80-90 % use IE and I really don't think you mean that Avast should say:'Not for use with IE, use another browser'."
I feel really the topic is that ; "80-90 % " of Internet users browse with IE. This makes it a huge target for malcreants . I'm sure Alwil is working at patching the exploit , maybe more so than MS . ???
[b]As DavidR says:[/b]
" I thing we live in a rare atmosphere were we generally have very good access and direct contact through the forums with the Alwil team, perhaps we have become spoilt. Somehow I doubt you would get a prompt answer to your question from any of the major AV companies, that is why many left them for avast."
"So a reasonable option is to use a different browser until the exploit is closed, whether or not that is an AV solution (which will always be behind newer variants of the same exploit) or switching browsers that could be a permanent resolution of the problem."
Patience is a virtue, so is common sense when an option to not use IE till " patched " is available. :)
Safe Surfing .
Remember, I don’t speak for avast, I’m just an avast user like yourself, so lets not put words in either my mouth or avast’s mouth, after all you have said of their silence, “We (the users) deserve an answer.”
So avast clearly haven’t said for avast users to use a differen’t browser, I suggested that.
I am positive considering Avast, but to say we are spoiled because of a good forum
is taking it too far. The problem is lack of information. I tried to get some information on behalf of myself and others and I didn’t get it. (this time).
I can live with that. Me too, in fact, have tried to answer questions here. But I try to answer the question posted and not another. And I like to know what I am talking about so that’s the reason for why that happens very seldom as you can see from my postcount.
I see it this way:
To get well treated in this forum you have to ask the “right” questions and e.g. avoid mentioning tests where Avast is under pari or other negative aspects of Avast.
Or saying anything about low detection rates and the like.
This time I asked the “wrong” question.
But I will be back later to hopefully be able to help others or asking “correct” questions.
No hard feelings, but a lttle bit disappointment that I didn’t get an official answer that e.g. we are working on it and hopefully it will be fixed by…
Bye for now. (Thread closed from my point of view, I mean I should never have started it :).)
Postscriptum: Yes, I have Opera too, but that’s still offtopic in my opinion
In an above post you stated you do not use Network Shield. Why not? ???
Tech states it might be possible that Network Shield might help with this exploit. Wether it does or not, turning that shield on would do no harm and might help in some way. I do not think it would use many (little or none) resources if it is active but not doing anything.
I have always had Network Shield active yet it always has a zero count. As far as resources go, I can not even tell it is on. Still, it is on for me and if something comes along that Network Shield might protect against, then it is activated to do whatever it might do.
The old saying goes, “An ounce of prevention is worth a pound of cure.”
This is not true. You know that.
You don’t have to ask the ‘right’ question. You just need to WAIT for the official answers.
You got a free antivirus software, free support, but you want it now, now, now… so, you get the dead silent…
You’re not being fair. I complain about this whatever I think I need/deserve.
You’re not being fair…
No.
I’ve asked them… but we’re on the weekend and maybe this is not a priority issue.
