Another ' Critical ' IE flaw
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Another ' Critical ' IE flaw

  1. #1
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171

    Another ' Critical ' IE flaw

    Microsoft is investigating a report of a new, unpatched flaw in Internet Explorer that could expose users of the ubiquitous Web browser to attacks.

    An attacker could craft a malicious Web site that takes advantage of the flaw and gain control over the PCs that visit the Web site or install malicious software on those systems, a representative of the French Security Incident Response Team said in an e-mail interview Wednesday. The organization rates the issue "critical," its most serious classification.

    Exploit code for the flaw is available on the Internet, according to the French security research group. The availability of exploit code typically raises the risk to users because it could aid miscreants in setting up attacks.

    Microsoft is investigating the report of the new IE flaw, a company representative said in a statement late Wednesday. The software maker is not aware of attacks that use the reported flaw, the representative said. After the investigation, Microsoft will take the appropriate action to protect users, which could include a security update, she said.

    Internet security monitoring company Websense has added detection mechanisms for this latest potential IE flaw to its software. As of Wednesday afternoon the company had not found any malicious Web sites that take advantage of it, said Dan Hubbard, senior director of security and research at Websense in San Diego.
    http://news.com.com/Microsoft+invest...7611&subj=news
    Microsoft investigates potential new IE flaw | CNET News.com

  2. #2
    Senior Member
    Join Date
    Jul 2005
    Posts
    277
    Is Microsoft trying to subconciously get us to use other browsers?
    Difficult takes a day, Impossible takes a week~Kthln01!

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i wonder if this has to do with the 0day found by the honeymonkey.

    (guess maybe i should read the whole article which i will do when i find time after i get to work)
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Sans is updating their diary as they find more during the day...would be worth checking it out...

    http://isc.sans.org/

    So far:

    At this point, there is no patch available. Exploit code has been released and is expected to be used in the wild shortly (if it hasn't been used already).

    In order to be vulnerable, you need to have 'msdds.dll' installed. Usually, this is installed by Visual Studio .Net, but has been found to be installed by a number of other applications as well, as it may be distributed with .Net based applications.

    Typically, you will find it in
    Program Files\Common Files\MicrosoftShared\MSDesigners7 .[Jordan]

    Here is a list of applications that may install this component:
    (Disclaimer: We can't test them all... but it should help you prioritize)
    MS Visual Studio .Net
    .Net Framework 1.1
    Microsoft Office (2000, 2002, XP) [Karl, Juha-Matti]
    Microsoft Project
    Visio [Chris]
    Access 11 (2003) runtime [Scott]
    ATI Catalyst driver installed by newer ATI video cards [Eric]

    MSDDS.DLL is not found on Win2003 SP1 SERVER with .net installed (not Visual Studio .net). [Andy].

    The version of MSDDS.DLL installed with Office 2003 is not vulnerable.

    If you test your system using the PoC exploit, please let us know if it succeeded, and what version of MSDDS.DLL you are using. Version 7.10.3077.0 may not be vulnerable (according to Secunia and our testing). [Juha-Matti]

    Version 7.0.9064.9112 is vulnerable [Gilles].

    If you are able to apply content filters to your internet gateway (e.g. a proxy server), filter for this string:
    (in order to allow you to still visit this page, we substituted the '-' with the word '(dash)' ...)
    EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F
    This is the class id of the vulnerable component.

    Other Mitigation Techniques:
    - Use a Non-ActiveX aware browser (Firefox, Opera...)
    - remove the vulnerable DLL. (we do not know what will break as a result)
    - this issue can be blocked by setting the 'kill bit' for the respective DLL. Using a registry editor, set: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F\Compatibility Flags=0x00000400" [Jerry]

    There is no official patch for this vulnerability at this point. MS05-038 looks similar, but the patch doesn't appear to protect you from this problem.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    For those of you out there that can't block and don't have a reasonable opportunity to mitigate this is a working Snort rule I wrote to detect this exploit. It searches for the Class ID used by the exploit as published by ISC:-

    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPERIMENTAL MSDDS 0 day Exploit Detected"; flow: from_server; content:"EC444CB6-3E7E-4865-B1C3-[REMOVE THIS]0DE72EF39B3F"; classtype: Bad-unknown;)

    [Edit]

    Er... It triggers on this page because Neb's post has the space removed from the Class ID that ISC had in it.

    Neb, can you add a space and note it to prevent the FP please....

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Hmm, I tried the exploit code and was not able to reproduce the issue. Anyone else?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    *grin* That better ?

    Did you meet all the conditions they mentioned Horse ?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yeppers. I suspect that perhaps one of the updates may have inadvertantly fixed the issue. You know how everything in Windows is meshed with every app they have.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Well they did mention early on that the issue seemed related to certain security bulletin that was patched but that the patch didn't seem to fix it...maybe there is a bit of missing info for the sploit to worK?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Exclamation

    FYI - Infocon just went YELLOW again: http://isc.sans.org/

    In case you want to monitor the alert status on your sys tray or get feeds, in case don't have it: http://isc.sans.org/infocon.php
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •