-
March 23rd, 2006, 09:58 PM
#1
SANS Infocon at Yellow - IE Exploit
Hello,
I was just informed that the SANS ISC Infocon is at [gloworange]YELLOW[/gloworange]
It is due to the IE exploit announced yesteday.
From the ISC
IE exploit on the loose, going to yellow
Published: 2006-03-23,
Last Updated: 2006-03-23 20:18:59 UTC by Jim Clausing (Version: 1)
Folks, as Lorna predicted yesterday , it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact, one of our readers has provided us with a version that he created that is more destructive). For that reason, we're raising Infocon to yellow for the next 24 hours.
Workarounds/mitigation
Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.
One of our readers asked whether DropMyRights from Microsoft would provide any protection. We haven't had an opportunity to test that out.
I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.
References
Original Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archiv...22/422849.aspx
Watch out!
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
March 23rd, 2006, 10:03 PM
#2
Dang! Leave my desk long enough to fry a burrito and look what happens!
grumble grumble
======
[EDIT]
Microsoft now has an advisory posted for this:
http://www.microsoft.com/technet/sec...ry/917077.mspx
[/EDIT]
-
March 24th, 2006, 12:24 AM
#3
Howdy..
I got stung by that about half and hour ago. I thought it was a prank, but when i refreshed ext, i noticed that weird things where happening..
That's the last time i use ie to catch up on the morning news...
cheers
f2b
-
March 24th, 2006, 12:41 AM
#4
Internet Explorer? who is that? Christopher Columbus? Vasco da Gama?
I don't use it..........why? because Microsoft don't sell it
Think about that folks..............sure, the others are "free" but they survive through advertising etc....Internet Explorer does not, so is the most attacked and least well protected.
In truth Microsoft don't "need" Internet Explorer.................in fact its "embedded status" is almost making it a problem child?
I have seen M$ dump their own AV product in my lifetime...........maybe IE will be next?
Just my twisted logic
-
March 24th, 2006, 05:33 PM
#5
Does the fun ever stop... an update!
Hello all-
Just checked out the update and here I thought I could slack a lil' bit today:
Da update:
IE exploit on the loose, going to [gloworange]yellow[/gloworange]
Published: 2006-03-24,
Last Updated: 2006-03-24 04:01:25 UTC by Jim Clausing (Version: 1)
Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive). For that reason, we're raising Infocon to yellow for the next 24 hours.
Workarounds/mitigation
Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.
One of our readers asked whether DropMyRights from Microsoft would provide any protection. We haven't had an opportunity to test that out.
I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.
References
Original Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archiv...22/422849.aspx
Annnd just in case you're as mad as hell, and you're not going to take it anymore! (paraphrased by Peter Finch as Howard Beale in "Network") - read the underlined area above first though:
Firefox: http://www.mozilla.com/firefox/
Opera: http://www.opera.com/
\"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.
-
March 24th, 2006, 11:37 PM
#6
in fact its "embedded status" is almost making it a problem child?
Sorry to play Devil's Advocate, but IE's embedded status is it's greatest feature. Not only is it faster, but it is more securable than anything else.
And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?
-
March 24th, 2006, 11:45 PM
#7
And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?
Yep...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 25th, 2006, 12:00 AM
#8
Originally posted here by Synja
And how is the world going nuts over an exploit that can be 100% mitigated with scripting restrictions that should already be in place?
Funny you should mention that. This is the latest addition to the ISC Diary by Ed Skodis:
...I tested the sploit on a box with software-based DEP and DropMyRights... here are the results:
Software-based DEP protecting core Windows programs: sploit worked
Software-based DEP protecting all programs: sploit worked
DropMyRights, config'ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
Active Scripting Disabled: sploit failed
BTW - Welcome back d0pp.
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
March 25th, 2006, 12:07 AM
#9
Thanks..
There are almost no exploits that will work against a properly configured and secured system. The argument of course, is that it should come presecured. In reality, it doesn't work that way. When you buy a car, are the seats already set for your height and frame? No. You have to set things up yourself.
I do believe that many things should be disabled by default, I mean, there is no reason to run unsigned ActiveX controls, etc. But the fact of the matter is that these settings are not buried deep in the registry or hidden from the average user, they are readily availbe in the Control Panel, or any of the many system/software configuration dialogs. There are more than enough free online resources that will allow you to secure your machine, people just need to do it.
-
March 25th, 2006, 06:29 AM
#10
As far as modern systems and program design is concerned, embedded systems are obsolete.
I can well remember struggling with 3,000 - 5,000 line RPGII/III programs. They are a bloody nightmare and don't let anyone tell you any different
Later thinking is to go for modular designs and integrate the modules.
Even Microsoft's top technical people admit that their development model is flawed. There was a post on this site about it a little while back.
As for speed, all browsers claim to be the "fastest"; here is some research, as opposed to the opinionated BS we generally get served:
http://www.howtocreate.co.uk/browserSpeed.html#winspeed
Sorry to play Devil's Advocate, but IE's embedded status is it's greatest feature. Not only is it faster, but it is more securable than anything else.
How can it be more securable? with an embedded system you don't have the faintest idea what it might be doing in the background. With a stand alone application or a module at least you know what you are dealing with and can be reasonably happy that when it is off, it really is off.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|