MS issue brown alert for IE

The place for what's new and going on in the tech, innovation, and science world.
Post Reply
User avatar
Aspman
Frustrated Mad Scientist
Posts: 8864
Joined: Mon Jan 09, 2006 10:07 am
Location: Scotland

MS issue brown alert for IE

Post: # 124112Post Aspman
Tue Dec 16, 2008 9:52 am

http://secunia.com/advisories/33089/

http://www.cpni.gov.uk/Products/alerts/3735.aspx
Description:
A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a use-after-free error when composed HTML elements are bound to the same data source. This can be exploited to dereference freed memory via a specially crafted HTML document.

Successful exploitation allows execution of arbitrary code.

NOTE: Reportedly, the vulnerability is currently being actively exploited.

The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3 and in Internet Explorer 6 on a fully patched Windows XP SP2, and reported in Internet Explorer 5.01 SP4. Other versions may also be affected.
Zero day, no patch.


"Man will never be free until the last king is strangled with the entrails of the last priest."
- Denis Diderot (1713-1784)

User avatar
Egaladeist
I am the Eg man : Coo Coo Ca Choo
Posts: 18908
Joined: Sun Dec 25, 2005 1:02 am
Location: Canada

Re: MS issue brown alert for IE

Post: # 124114Post Egaladeist
Tue Dec 16, 2008 11:42 am

How serious is this exploit? I never use IE but if this is a serious exploit it seems to me that Microsoft is kinda dragging their feet, I posted the same thing in our Microsoft forum 3 days ago and they still haven't come up with a patch for it...?

Granted, I don't know how long it takes...but you'd think if this was a problem they'd have a team working night and day to get it fixed.

User avatar
Aspman
Frustrated Mad Scientist
Posts: 8864
Joined: Mon Jan 09, 2006 10:07 am
Location: Scotland

Re: MS issue brown alert for IE

Post: # 124117Post Aspman
Tue Dec 16, 2008 1:34 pm

About as bad as it gets really.

Big hole allowing remote access
+ actively being used in the wild
+ no patch

=brown alert.

Lots of workplaces are forced to keep using IE because they have apps that are specifically written to make use of it. so this is really a corporate problem. Home users can just switch to FF or Opera.
"Man will never be free until the last king is strangled with the entrails of the last priest."
- Denis Diderot (1713-1784)

User avatar
Egaladeist
I am the Eg man : Coo Coo Ca Choo
Posts: 18908
Joined: Sun Dec 25, 2005 1:02 am
Location: Canada

Re: MS issue brown alert for IE

Post: # 124123Post Egaladeist
Tue Dec 16, 2008 2:56 pm

With the exception of checking to see what our sites look like in IE I haven't used it at all in about 5 years. :D

User avatar
Harry
Site Admin
Posts: 6784
Joined: Sat Feb 11, 2006 10:44 pm
Location: UK :-)
Contact:

Re: MS issue brown alert for IE

Post: # 124144Post Harry
Wed Dec 17, 2008 9:53 am

It's not really any more seious than the 100's of other buugs with web browsers including FF, Opera and Chrome, that allow for remote code execution - why this is getting more press than others is because MS are dragging their heels somewhat over releasing a patch and a twisted group of chinese folks have dedicated a few weeks of their lives to uploading the exploit to as many web sites as they can..IMHO
Drugs have taught an entire generation of kids the metric system..

TAZ's better half: http://www.theadminzone.com/

User avatar
THE Doctor
Ex Und3rtak3r from OZ
Posts: 6583
Joined: Tue Dec 27, 2005 1:30 pm
Are you a Spammer: No

Re: MS issue brown alert for IE

Post: # 124147Post THE Doctor
Wed Dec 17, 2008 1:45 pm

Harry wrote:It's not really any more serious than the 100's of other bugs with web browsers including FF, Opera and Chrome, that allow for remote code execution - why this is getting more press than others is because MS are dragging their heels somewhat over releasing a patch and a twisted group of chinese folks have dedicated a few weeks of their lives to uploading the exploit to as many web sites as they can..IMHO
A Voice of reason...

what about the cry of the servers that are being compromised? .. no comment on that..


more of concern is how Firefox tops Bit9's vulnerable applications list... http://www.vnunet.com/vnunet/news/22324 ... nerability
ahh the FF users infected with the Fake AV Trojans... (as well as the IE users) no media coverage on that

or am I just a FUD whore
.. The trouble with life is there's no background music..

Remember Grasshopper: The original point and click interface was a Smith & Wesson.

User avatar
Opus
I type, therefore I am
Posts: 937
Joined: Sun Mar 12, 2006 11:50 pm
Location: United States, Mississippi

Re: MS issue brown alert for IE

Post: # 124148Post Opus
Wed Dec 17, 2008 2:00 pm

Any vulnerability that is exploitable should be taken seriously, especially when it is a global issue. It was complacency that got us in trouble with CodeRed and others of the same time period.
There are two rules for success in life:
Rule 1: Don't tell people everything you know.

User avatar
dinowuff
I've posted HOW many
Posts: 5330
Joined: Sun Dec 25, 2005 11:26 pm
Are you a Spammer: No
Location: galactic longitude 359° 56′ 39.4″, galactic latitude −0° 2′ 46.2″
Contact:

Re: MS issue brown alert for IE

Post: # 124150Post dinowuff
Wed Dec 17, 2008 2:19 pm

Opus wrote:Any vulnerability that is exploitable should be taken seriously, especially when it is a global issue. It was complacency that got us in trouble with CodeRed and others of the same time period.
While this is true; nimda and code red were seriously launched at the onset of "high speed Internet". I remember having to explain the need, to the owner of the company, for websense - at that time. Reluctantly he agreed stating that his college, who owns Bissell, doesn't spend on "IT Stuff".

Code red did serious damage to Bissell - causing a complete network shutdown for a few days and a few thousand extra for the consultants.

ROI BABY! Even got a brownie point from the CEO for avoiding that one.

Now to IE - I understand the foundation of wanting browser technology integrated into an OS. I understand the need for ActiveX to be enabled (better luser experience). I understand the need for seamless integration among suite applications and the OS.

I understand the every browser on the market - as any software, is vulnerable to buffer overflows in some way, shape or form. So I only go where I trust, and if untrusted I go using a sandbox.

Will this vulnerability create a Global Crisis? No.
Image
No lusers were harmed in the creation of this Taz Zone Post.
AND I WANT TO KNOW WHY NOT!
09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

User avatar
Opus
I type, therefore I am
Posts: 937
Joined: Sun Mar 12, 2006 11:50 pm
Location: United States, Mississippi

Re: MS issue brown alert for IE

Post: # 124151Post Opus
Wed Dec 17, 2008 2:38 pm

Will this vulnerability create a Global Crisis? No.
I agree, my point is more so not getting complacent
There are two rules for success in life:
Rule 1: Don't tell people everything you know.

User avatar
dinowuff
I've posted HOW many
Posts: 5330
Joined: Sun Dec 25, 2005 11:26 pm
Are you a Spammer: No
Location: galactic longitude 359° 56′ 39.4″, galactic latitude −0° 2′ 46.2″
Contact:

Re: MS issue brown alert for IE

Post: # 124162Post dinowuff
Wed Dec 17, 2008 4:47 pm

Image
No lusers were harmed in the creation of this Taz Zone Post.
AND I WANT TO KNOW WHY NOT!
09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

User avatar
SirDice
I've posted HOW many
Posts: 4196
Joined: Mon May 15, 2006 9:59 am
Are you a Spammer: No
Location: Netherlands

Re: MS issue brown alert for IE

Post: # 124166Post SirDice
Wed Dec 17, 2008 8:23 pm

a) it looks like it's rather trivial to exploit the bug. My grandmother could probably write an exploit for it.
b) a lot of Windows users stick to IE
c) most, if not all, XP users run on an administrative account.
d) you can inject the code using sql injection into 'trusted' forums and other sites
e) you can exploit the bug using XSS, again leveraging 'trusted' sites.

In the past week this bug has been identified already 30 million machines got infected by abusing this bug. The biggest question is... how long has it been around the malware scene before it was (accidentally) found by security people?

Damn right I expect an out-of-band patch. This one even more so then the last. That server hole at least was thwarted by the standard windows firewall.

Back in the days of Code Red, my servers were protected and it didn't cost us a damn thing. I had installed IIS "the proper" way and had removed all those handlers that weren't needed, which included .ida. Things that iislockdown tool did later on, I'd always had done by hand (and added a few of my own). Even several unpatched servers never got infected by CodeRed or Nimda, and it wasn't the lack of trying, the logs were filled with attempts.

Edit: Another nice way to abuse it.. http://www.avertlabs.com/research/blog/ ... doc-files/
Oliver's Law:
Experience is something you don't get until just after you need it.

Dogbert
1st Century Addict
Posts: 136
Joined: Fri Jul 25, 2008 1:39 pm
Location: Athens, Georgia

Re: MS issue brown alert for IE

Post: # 124167Post Dogbert
Wed Dec 17, 2008 9:12 pm

They've published a patch for IE [ Security Update for Internet Explorer (960714) ]
http://www.microsoft.com/technet/securi ... 8-078.mspx :breakfast:
OUT! OUT! You demons of stupidity!!!!

Post Reply