ZERT-Gurus come with patch for 0-day exploit

Hi malware fighters,

There is a 3rd-party patch available for the new 0-day exploit:
http://www.eweek.com/article2/0,1895,2019162,00.asp
This is a good news, and a sign people around the world are concerned about the situation at hand. Opened their test page in Flock 0.7.4.1. and it was immune.

polonus

Thanks Polonus, I read the article. I guess what strikes me as being the most important thing is the statement made about Microsoft. This was
"“Microsoft needs to start paying attention and recognize that there’s a need for an out-of-band patch. It’s somewhat irresponsible to tell customers to wait two weeks for Patch Tuesday while computers are being hosed with malware,” he declared. " This was by a gentleman called Stewart. :slight_smile:

Hi neal63,

Yes and how long this type of hole has been here now, with all the variants. This is the second time the ZERT-Gurus come with a third party patch, and M$ then serves up a similar “official” one later. This comes down to the fact that there are “basic” flaws in the code that can be exploited in numerous ways (here a buffer overflow with an I-Frame as infecting vector with a link that can even be served up in a webforum (actually found recently))
The initial founder of this malicious “feature” sold this for 4000 bucks (a Russian cybercrook).
I don’t think that MS has done an overhaul. I mean that they have thrown out all the old buggy code, and replaced it with secure code, as was recently presented as a plan for Firefox browser code. No they built layer on layer on layer, and we don’t know where the holes in the structure are. We don’t know what "skeletons"are really laying around in the closed “software” code dungeons of the MS source code. I think this will not be the last time the ZERT team had to come to the rescue to earn a S-shirt.

polonus

http://forum.avast.com/index.php?topic=23646.msg195046#msg195046
Is this the same patch?

BetaNews raises questions about Zert; Microsoft says don’t trust third party patches:

In the meantime, a group of software engineers called the Zeroday Emergency Response Team (ZERT) has issued what it characterizes as an interim patch for the VML exploit, possibly closing the door to a new series of Trojans.

In so doing, a new group resurrects some old questions: Should consumers trust third parties to patch Windows when Microsoft isn’t able to do so just yet? And does implementing a third-party patch make it more difficult for Microsoft - or anyone - to patch Windows in the future?

Only in the information security business can one become both underground and high-profile simultaneously. A story in Friday morning’s eWeek characterized ZERT as “a high-profile group of computer security professionals,” although the membership list on the group’s Web site admits to not listing everyone in the group, because “some ZERT volunteers prefer anonymity.”

ZERT only claims its patch addresses the buffer overflow vulnerability, but does not explain exactly what it is the patch is supposed to do. Not even the eWeek story gives a description of the patch, although it does quote one volunteer member of the ZERT group as saying, “Something has to be done about Microsoft’s patching cycle.”

“ZERT members work together as a team,” the group’s Web site reads, “to release a non-vendor patch when a so-called ‘0day’ (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both. The purpose of ZERT is not to ‘crack’ products, but rather to ‘uncrack’ them by averting security vulnerabilities in them before they can be widely exploited.”

The VML patch is the group’s first, so it remains to be seen whether the public at large is willing to trust a high-profile group of unknowns to provide them with “something,” rather than wait for Microsoft to make good on its pledges to produce anything. ZERT’s press liaison did not return BetaNews’ request for comment.

“Microsoft is aware of third party mitigations that attempt to block exploitation of vulnerabilities in Microsoft software,” a Microsoft spokesperson told BetaNews late Friday afternoon. "While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor.

“Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility,” the spokesperson added. “Microsoft cannot provide similar assurance for independent third party security updates or mitigations.”

http://www.betanews.com/article/Microsoft_Rushes_Patch_for_VML_Exploit/1158972604

I personally believe that I would trust Zert as much so as I would Microsoft. I cannot believe that they are putting out a third party patch for any bad ulterior motive. Just taking up slack where Microsoft is concerned. :slight_smile:

A possible problem and fix with the Zert patch:

http://www.pcdoctor-guide.com/wordpress/?p=3463

http://www.pcdoctor-guide.com/wordpress/?p=3465

Hi MasterTech,

There will be malware around that will disable DEP while attack, actually this malware has been demonstrated, and is around. Could not this mean that DEP actually comes down to DEPressive??? Read this: http://radsoft.net/resources/rants/20051231,01.shtml

Here about the hole in DEP that Russian security found up half a year ago:
http://www.tunexp.com/news/windows-story-609.html

Limitations

Unlike similar protection schemes available on other operating systems, DEP provides no address space layout randomization, which may allow return-to-libc attacks that could feasibly be used to disable DEP during an attack.

The possibility has now been demonstrated against Windows Hardware-enforced DEP by skape in. which relies on a return-to-libc style attack. This technique relies on directly pointing the EIP register to the known service-pack-dependant location which applies the OptIn/OptOut mechanism. It is reliant on the boottime option of OptOut/OptIn being available. If all pages are strictly enforced, then this attack will not succeed. The PaX documentation further elaborates on why ASLR is necessary. It may be possible to develop a successful attack if the address of prepared data such as corrupted images or MP3s can be known by the attacker.(is already done in QuickTime)
[source Wikipedia]

Software conflicts

DEP is occasionally the cause of software problems, usually with older software. It has exposed bugs in the Virtuozzo virtualization software that prevent certain programs from being virtualized correctly. In most cases, these problems may be solved by disabling the DEP features.

As a response to this, DEP can be turned off on a per-application basis, retaining compatibility for older programs. [source Wikipedia]

Well why use software DEP as hardware DEP is the only real solution?

polonus

:slight_smile: :). Interesting to say the least.

The situation is getting worse, would not surprise me if MS comes out with an earlier patch. Some providers in the States have problems. And this is being installed:
http://blog.washingtonpost.com/securityfix/2006/09/newly_detected_ie_exploit_spel_1.html

polonus

Hi Polonus,

I applied the DEP feature on my computer (software only, as I have an older chip.) I guess there’s a reason why it is not applied by default- soon after I got this message while running Ad-Aware:

http://www.geocities.com/dontsurfinthenude/adawareDEP.jpg