Head's Up! SANS ISC is Yellow! Yellow: WebViewFolderIcon setslice exploit spreading
Results 1 to 2 of 2

Thread: Head's Up! SANS ISC is Yellow! Yellow: WebViewFolderIcon setslice exploit spreading

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Exclamation Head's Up! SANS ISC is Yellow! Yellow: WebViewFolderIcon setslice exploit spreading

    As of 2006-10-01 21:57:25 UTC by Swa Frantzen

    From the SANS ISC:

    Link (for updates): http://isc.sans.org/diary.php?storyid=1749

    Story to this point:
    Yellow: WebViewFolderIcon setslice exploit spreading.

    History

    On Friday 29th (and for nearly all of our readers past their working day), we saw the WebViewFolderIcon setslice exploit spreading in the wild. We raise our Infocon to Yellow in order to increase the awareness of the problem and call for action. We have decided to stay Yellow till Monday morning for most of our readers. Without further spectacular evolutions we will go back to Green on Monday.

    This exploit started in the Month of Browser Bugs on July the 18th as a Denial of Service, however its author released recently a code executing variant of it.

    Reason for [gloworange]Yellow[/gloworange]

    The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

    If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.

    Actions
    We suggest following actions (do them all: a layered approach will work when one of the measures fails):

    Update your antivirus software, make sure your vendor has protection for it (*).
    Install following killbits (**):
    {844F4806-E8A8-11d2-9652-00C04FC30871}
    {E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

    make sure you set both.
    You can do this manually as in the Microsoft security advisory, by using Tom Liston's tool, with a GPO, ...

    Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
    We are aware of 3rd party patches, but our recommendation is to use the measures above instead for now.

    Quote
    Alex Sotirov from Determina on Full Disclosure: "We're also researching additional exploitation vectors. The underlying cause of the setSlice vulnerability is an integer overflow in COMCTL32.DLL, a core Windows component used by a large number of applications. The WebViewFolderIcon ActiveX control is most likely only one of the attack vectors for this vulnerability."
    References
    CVE-2006-3730
    USCERT note 753044
    Microsoft security advisory 926043
    Jesper's blog about setting killbit using group policy (GPO)
    Exploit prevention labs blog entry - iframe

    Exploit Prevention labs blog entry - CWS
    SunbeltBlog
    F-Secure blog
    Malicious ActiveX Controls (Oreilly)
    Setting killbits (Microsoft - KB240797)

    Snort VRT sigs: SID 7985 and SID 7986, available since September 1st.
    JS/Exploit-BO.gen (McAfee)
    JS_PLOIT.BC (TrendMicro)
    Bloodhound.Exploit.83 (Symantec)
    Exploit.HTML.IESlice.a - Exploit.HTML.IESlice.c (Kaspersky)
    JS.CVE-2006-3730!exploit (CA)

    Sept. 30th diary
    Sept. 29th diary with tool to set the killbits
    Sept. 28th diary

    (*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
    (**): There are currently no reports of side effects on other application when stopping this ActiveX control.

    --
    Swa Frantzen -- Section66
    In case I don't make it back to update - please keep up with the experts at SANS ISC.

    Happy Monday - Woo-Hoo!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Exclamation UPDATE: SANS ISC Back to Green! As of: 2006-10-02 17:30:53 UTC

    FYI - I was able to check real quick:

    Link: http://isc.sans.org/diary.php?storyid=1752

    Updated story:
    Back to green, but the exploits are still running wild (NEW)
    Published: 2006-10-02,
    Last Updated: 2006-10-02 17:30:53 UTC by Jim Clausing (Version: 1)
    Folks, as is our policy here at the Internet Storm Center, once we feel we've raised awareness of an issue by raising infocon to yellow, we move it back to green (otherwise, with the constant release of exploits of unpatched vulnerabilities, infocon would stay at a heightened level and become as meaningless as the DHS terrorist threat level). Normally, we do this after 24 hours, but in this case, since we didn't raise infocon until Saturday, we felt we should wait until most folks had made it back to work on Monday before going back. That doesn't mean that there is no more risk. Quite to the contrary, until the vulnerabilities are patched, the risk remains high because we know there are many variants of the exploit in the wild as I type this. There were even Metasploit modules released over the weekend, so it doesn't take much talent at this point to create a new exploit. However, we feel that things have leveled off somewhat. We've published pointers to the workarounds in Saturday's story, so there isn't much more that we can do at this point other than remain vigilant .
    Back to the bar!... Errr... I mean work!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides