RSSIs there a new remote data execution exploit for IE7?
By Scott M. Fulton, III | Published December 11, 2008, 11:21 AM
All that anyone knows for certain as of today is that there are some browsers that appear to be the victim of new attacks using a very old profile: embedded binary code for graphic objects appearing in IE7 Web pages.
In a security advisory issued yesterday, Microsoft acknowledged that its security team is investigating reports of a new data execution prevention exploit in Internet Explorer 7 that was not addressed during the previous Patch Tuesday cycle, though it stopped short of explicitly saying such an exploit actually exists.
The advisory says the company is aware of certain attacks, though the way it said so implied that Microsoft learned of these attacks through customers, not through research. Security firms that have contacted BetaNews thus far also appear to have been caught off-guard, saying only that their respective security products deliver full protection against the problem...whatever it is.
Once again, the best clue we have as to the nature of the problem lies in Microsoft's suggested workarounds for customers, which it says will protect them from experiencing the attacks' known symptoms. The number one measure it suggests customers should take is to set both Internet and Local Security zone settings (through the Security tab on the Internet Properties control panel) to High prior to running any page that uses an ActiveX control or Active Scripting.
This suggests that, at the very least, the profile of the attack is one of the oldest in the book -- in fact, it could essentially be an offshoot of the most prominent attacks that plagued the very first editions of Internet Explorer over a decade ago. Back then, IE enabled the use of (non-standard) HTML elements that triggered both the downloading and the embedding of ActiveX controls in Web pages. Essentially, browsers could acquire and run binary code directly from servers, and back before anyone thought twice about the security aspects of doing so, no user intervention was required whatsoever -- zero.
Today, the ActiveX mechanism still exists, though with substantially more safeguards to prevent that type of occurrence. And Microsoft has "deprecated" ActiveX as a way to get custom controls in pages, devising in its place a complex but very functional system based on parts of the .NET Framework, such as Silverlight, that do not require the online transfer of binary code and its subsequent execution.
It was a long-running patent infringement lawsuit with Eolas Technologies that forced Microsoft to disable the automatic triggering of ActiveX controls in Web pages. That inclusion of the trigger protection was actually bad for Eolas, which had an opportunity to benefit from the automatic triggering of executable code -- the concept that Eolas' patents protected. After the two firms settled in November 2007, Microsoft was allowed to remove the protection, in an IE7 update that was rolled out last April. Ironically, it could be the re-emergence of that code trigger that is leading to what Microsoft now perceives as evidence of a new ActiveX exploit.
But whose systems would be effected, after all this long time, and after ActiveX has become an historical remnant for many users? Many enterprises that use intranets as vehicles for deploying their in-house Web applications, which run through employees' browsers, continue to run on code created in the last decade -- code that includes ActiveX controls that IT departments don't know, or aren't skilled enough with Visual Studio to learn, how to replace.
A Secunia advisory updated this morning indicates that the exploit focuses on the browser's apparent inability to clean up memory after an embedded component -- if Microsoft's description is accurate, presumably an ActiveX control -- is bound to a page with multiple HTML elements that refer to it. For example, conceivably, a single component may be embedded once but replicated throughout the page; if those instances are all cleared, traces of the code may remain in memory.
That code may then presumably be executed without need for privilege, although Microsoft is saying that turning Data Execution Prevention on will disable this ability.
If you are still dumb enough to use IE... you get what you deserve!
all of the smart people do not use IE anymore!
Score: 0
|There is an active, in use exploit, and we're starting to see its detection on client systems:
http://www.trendmicro.co...JS_DLOAD.MD&VSect=T
Score: 0
|Can you imagine - ActiveX - the protocol with no method of authenication designed to allow various apps to interact- being involved in a potential exploit.
Yup, and Windows is ONLY more vulnerable because more folks use it it has nothing to do with fundamental access control. LOL!
====================================
Meanwhile BetaNews has totally missed 'insignificant'(sic) exploits like that outlined by Outpost24 of Sweden regarding the fundamental vulnerability of TCP and the ability to knock over and allow DOS attacks to virtually ANY Internet facing machine with a TCP service listening for remote connections.
Their tool, called Sockstress, leveraging the vulnerability has been QUICKLY able to knock over every machine its been aimed at.
And there does NOT appear to be a simple workaround.
And for the fanboys, this is in regards to the TCP stack itself - and its not OS specific - its OS universal. (But so much for MS's risk analysis labeling system. LOL!)
....................
Or, we could also mention the more serious web browsr vulnerability discovered by Grossman and Hansen regarding the ability to effectively hijack web clicks.
This browser (in)security made possible by iFrames' ability to hide malicious web content, effectively forces users to click on virtually any button the attacker wants them to, on any website.
Thusfar there is no quick fix.
...................
Also, we could mention the botnet ASPROX that has been playing a major role in the SQL injection exploits. Seems like its been up to a bit more than spreading fake antivirus and DoS attacks!
...................
Or, for those for whom VOIP security is an issue; XTest can audit the stength of passwords in VOIP, while UCSniff, a tool capable of learning the layout of a VOIP network and then monitoring whatever conversations the user chooses. And for those interested in this tool, it can be set to sniff specific extentions exclusively, or set to only monitor calls between 2 specific parties. UCSniff is currently being ported to Windows.
Score: 0
|Thanks for the post. didn't know about some of these. :)
Score: 0
|For more info regarding these vulnerabilities, here is a good start - at least as far as those who uncovered them:
The TCP vulnerability is detailed by Outpost24 (R. Lee & J. Lewis).
Here's a quick link describing it:
http://www.techworld.com...index.cfm?newsid=105086
For more iFrames info reference Grossman(CTO) of WhiteHat Security. Robert Hansen is an independent security researcher.
Dennis Brown of Verisign gave an in depth analysis in his presentation regarding ASPROX at ToonCon in September.
http://denbrown.com/AsproxIn20.ppt
Hope that helps a bit.
More is available, but most I am intimate with is via subscription...I will try to post more public links if/when I uncover them...but if you are prudent with a web search, much should be available...Or by simply contacting the lised authors/sources.
Score: 0
|Thusfar there is no quick fix.
Drop the IFRAME tag as it was meant to be dropped years ago.
Score: 0
|Huh?
Nope.
Tell Jeremiah Grossman that.
Score: 0
|Much appreciated. Thanks!
Score: 0
|IFRAME was dropped from HTML and XHTML standards a long time ago.
If browsers were to drop support for these tags (which would be a tad idealistic) then there would be no problem with click-jacking.
However, too many bad web designers (or designers who are forced to use legacy formats) keep using IFRAME tags.
Score: 0
|Just as too many websites are written to legacy MS standards which are anything but current open standards.
And if everyone srutinized their code using current best practices 95% of everything we end up talking about here would be moot!
If only!
Score: 0
|