SANS Infocon at Yellow - IE Exploit
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: SANS Infocon at Yellow - IE Exploit

  1. #1
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185

    Exclamation SANS Infocon at Yellow - IE Exploit

    Hello,

    I was just informed that the SANS ISC Infocon is at [gloworange]YELLOW[/gloworange]

    It is due to the IE exploit announced yesteday.

    From the ISC
    IE exploit on the loose, going to yellow
    Published: 2006-03-23,
    Last Updated: 2006-03-23 20:18:59 UTC by Jim Clausing (Version: 1)

    Folks, as Lorna predicted yesterday , it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact, one of our readers has provided us with a version that he created that is more destructive). For that reason, we're raising Infocon to yellow for the next 24 hours.

    Workarounds/mitigation

    Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.

    One of our readers asked whether DropMyRights from Microsoft would provide any protection. We haven't had an opportunity to test that out.

    I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.


    References

    Original Secunia bulletin: http://secunia.com/advisories/18680/
    Microsoft blog: http://blogs.technet.com/msrc/archiv...22/422849.aspx
    Watch out!

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/
    Share on Google+

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Dang! Leave my desk long enough to fry a burrito and look what happens!

    grumble grumble

    ======

    [EDIT]
    Microsoft now has an advisory posted for this:

    http://www.microsoft.com/technet/sec...ry/917077.mspx
    [/EDIT]
    Share on Google+

  3. #3
    Howdy..

    I got stung by that about half and hour ago. I thought it was a prank, but when i refreshed ext, i noticed that weird things where happening..

    That's the last time i use ie to catch up on the morning news...

    cheers
    f2b
    Share on Google+

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Internet Explorer? who is that? Christopher Columbus? Vasco da Gama?

    I don't use it..........why? because Microsoft don't sell it

    Think about that folks..............sure, the others are "free" but they survive through advertising etc....Internet Explorer does not, so is the most attacked and least well protected.

    In truth Microsoft don't "need" Internet Explorer.................in fact its "embedded status" is almost making it a problem child?

    I have seen M$ dump their own AV product in my lifetime...........maybe IE will be next?

    Just my twisted logic
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?
    Share on Google+

  5. #5
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Exclamation Does the fun ever stop... an update!

    Hello all-

    Just checked out the update and here I thought I could slack a lil' bit today:

    Da update:
    IE exploit on the loose, going to [gloworange]yellow[/gloworange]
    Published: 2006-03-24,
    Last Updated: 2006-03-24 04:01:25 UTC by Jim Clausing (Version: 1)

    Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive). For that reason, we're raising Infocon to yellow for the next 24 hours.


    Workarounds/mitigation

    Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.

    One of our readers asked whether DropMyRights from Microsoft would provide any protection. We haven't had an opportunity to test that out.

    I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.


    References

    Original Secunia bulletin: http://secunia.com/advisories/18680/
    Microsoft blog: http://blogs.technet.com/msrc/archiv...22/422849.aspx
    Annnd just in case you're as mad as hell, and you're not going to take it anymore! (paraphrased by Peter Finch as Howard Beale in "Network") - read the underlined area above first though:

    Firefox: http://www.mozilla.com/firefox/
    Opera: http://www.opera.com/
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.
    Share on Google+

  6. #6
    in fact its "embedded status" is almost making it a problem child?
    Sorry to play Devil's Advocate, but IE's embedded status is it's greatest feature. Not only is it faster, but it is more securable than anything else.


    And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?
    Share on Google+

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?
    Yep...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
    Share on Google+

  8. #8
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Originally posted here by Synja
    And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?
    Funny you should mention that. This is the latest addition to the ISC Diary by Ed Skodis:

    ...I tested the sploit on a box with software-based DEP and DropMyRights... here are the results:

    Software-based DEP protecting core Windows programs: sploit worked
    Software-based DEP protecting all programs: sploit worked
    DropMyRights, config'ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
    Active Scripting Disabled: sploit failed
    BTW - Welcome back d0pp.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/
    Share on Google+

  9. #9
    BTW - Welcome back d0pp.
    Thanks..


    There are almost no exploits that will work against a properly configured and secured system. The argument of course, is that it should come presecured. In reality, it doesn't work that way. When you buy a car, are the seats already set for your height and frame? No. You have to set things up yourself.

    I do believe that many things should be disabled by default, I mean, there is no reason to run unsigned ActiveX controls, etc. But the fact of the matter is that these settings are not buried deep in the registry or hidden from the average user, they are readily availbe in the Control Panel, or any of the many system/software configuration dialogs. There are more than enough free online resources that will allow you to secure your machine, people just need to do it.
    Share on Google+

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    As far as modern systems and program design is concerned, embedded systems are obsolete.

    I can well remember struggling with 3,000 - 5,000 line RPGII/III programs. They are a bloody nightmare and don't let anyone tell you any different

    Later thinking is to go for modular designs and integrate the modules.

    Even Microsoft's top technical people admit that their development model is flawed. There was a post on this site about it a little while back.

    As for speed, all browsers claim to be the "fastest"; here is some research, as opposed to the opinionated BS we generally get served:

    http://www.howtocreate.co.uk/browserSpeed.html#winspeed

    Sorry to play Devil's Advocate, but IE's embedded status is it's greatest feature. Not only is it faster, but it is more securable than anything else.
    How can it be more securable? with an embedded system you don't have the faintest idea what it might be doing in the background. With a stand alone application or a module at least you know what you are dealing with and can be reasonably happy that when it is off, it really is off.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides