dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2177
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

IE Zero Day is "For Real"

quote:
And yes, there is code in the wild that exploits this (since Sept 14th). And no, there is no patch for it yet

If you're still running IE7,8 or 9, today is a good day to think about switching browsers for a couple of weeks.

»isc.sans.edu/diary/IE+Zero+Day+i···l+/14107
--
Don't feed trolls--it only makes them grow!


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2

I understand that has been fixed in IE10 RTM.


redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to StuartMW

the "zero-day" IE vulnerability was also mentioned at "secunia":

»secunia.com/advisories/50626/



Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed
reply to StuartMW

More info here also! »community.rapid7.com/community/m···tasploit

TH



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to StuartMW



chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to StuartMW

quote:
Conclusion
The guys how developed this new 0day were not happy to have been catched, they just removed all the files from the source server 2 days after my discovery. But also more interesting the also removed a Java 0day variant from other folders.
Eric Romang
--
Gladiator Security Forum: www.gladiator-antivirus.com/


Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed

1 edit
reply to StuartMW

Even more info: »arstechnica.com/security/2012/09···xplorer/ and »www.securityweek.com/new-interne···ted-wild

TH

--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper.
(H59 Clan)



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 recommendations

reply to StuartMW

I guess this is one occasion where Dude111 See Profile is actually better off running IE6
--
Don't feed trolls--it only makes them grow!



kickass69

join:2002-06-03
Lake Hopatcong, NJ

Even sh*t has one good use (manure) so does IE 6 in this case.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to StuartMW

Microsoft Security Advisory (2757760)
Vulnerability in Internet Explorer Could Allow Remote Code Execution

quote:
Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected.

Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
»technet.microsoft.com/en-us/secu···/2757760
--
siljaline

Here at Mountain View Chocolate, we’re committed to transparency and choice


DevilFrank

join:2003-07-13
Reviews:
·T-Com
reply to StuartMW

What is new with this exploit?
You need flash to do a heap spray first to inject the executable code into memory, without that the exploit is useless. In addition ActiveX/Active Script must be enabled in IE.
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones to stop it.

It´s a general recommendation to use IE already years ago...
--
Regards from Germany. Please excuse my stumbling English



ashrc4
Premium
join:2009-02-06
australia

said by DevilFrank:

It´s a general recommendation to use IE already years ago...

The current recommendation is that users install EMET as well.

»www.theage.com.au/it-pro/securit···3vv.html
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!
Expand your moderator at work


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to StuartMW

if its from Sept. 14th

its not a zero-day exploit anymore.
--
--Standard disclaimers apply.--



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

said by AVD:

its not a zero-day exploit anymore.

Nice watch you have there...

"Last week, I went to Philadelphia, but it was closed."
W. C. Fields
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


therube

join:2004-11-11
Randallstown, MD

1 edit
reply to ashrc4

Re: IE Zero Day is "For Real"

> You need flash

And that's what, 99% of IE users (& other browser users too).
And with IE10, you know you will have Flash, because MS is going to be doing the updates for that.

> ActiveX/Active Script must be enabled in IE

Again, what's that 99% of the populace.

> Set Internet and Local intranet security zone settings to "High"

Since we're throwing out random, meaningless numbers, lets try, 1%?

> current recommendation is that users install EMET

And again.

So it sounds like we have a very viable exploit on our hands.

The advisory Suggested Actions was an interesting read.

Expand your moderator at work


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to Anon

Re: IE Zero Day is "For Real"

Some Enterprise users might not have a choice and must stick with IE..in that case do the "patch"..but for home users I think it will be a PITA and for others to difficult.

German government urges public to stop using Internet Explorer

(Reuters) - The German government urged the public on Tuesday to temporarily stop using Microsoft Corp's Internet Explorer following discovery of yet-to-be repaired bug in the web browser that the software maker said makes PCs vulnerable to attack by hackers.

The security flaw, which affects hundreds of millions of Internet Explorer browser users around the globe, publicly surfaced over the weekend.

Microsoft had said on Monday that attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim's computer.

The German government's Federal Office for Information Security, or BSI, said that it was aware was aware of targeted attacks and that all that was needed was to lure web surfers to a website where hackers had planted malicious software that exploited the bug in Internet Explorer to infect their PCs.

"A fast spreading of the code has to be feared," the German government said in its statement.

BSI advised all users of Internet Explorer to use an alternative browser until the manufacturer has released a security update.

Officials with Microsoft did not respond to a request for comment on the move by the German government.

The company late on Monday urged customers to install a piece of security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.

Microsoft did not say how long that will take, but several security researchers said they expect the update within a week.

The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available through an advisory on Microsoft's website: blogs.technet.com/b/msrc/

The EMET software must be downloaded, installed and then manually configured to protect computers from the newly discovered threat, according to the posting from Microsoft. The company also advised customers to adjust several Windows security settings to thwart potential attackers, but cautioned that doing so might impact the PC's usability.

Some security experts had said it would be too cumbersome for many PC users to implement the measures suggested by Microsoft. Instead they advised Windows users to temporarily switch from Internet Explorer to rival browsers such as Google Inc's Chrome, Mozilla's Firefox or Opera Software ASA's Opera.

»www.reuters.com/article/2012/09/···20120918
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to StuartMW

Additional information about Internet Explorer and Security Advisory 2757760

quote:
We will release a Fix it in the next few days to address an issue in Internet Explorer, as outlined in the security advisory 2757760 that we released yesterday.

While we have only seen a few attempts to exploit the issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online.
Full MSRC Blog Entry


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to StuartMW

said by StuartMW:

I guess this is one occasion where Dude111 See Profile is actually better off running IE6

Software giant says it has seen only a few attempts to exploit the weakness, which affects users of Internet Explorer versions 6 through 9.



FF4m3

@bhn.net
reply to StuartMW

Inside the guts of a fiendish Internet Explorer 0-day attack:

Frightening stuff.



FF4m3

@bhn.net

IE execCommand fuction Use after free Vulnerability 0day en:

Confirmed that it can lead IE7\IE8\IE9 of full-patch to execution code, and the zero-Day attack has been found in the wild.

When the execCommand function of IE execute a command event, will allocated the corresponding CMshtmlEd object by AddCommandTarget function, and then call mshtml@CMshtmlEd::Exec();function execution.

But, after the execCommand function to add the corresponding event, will immediately trigger and call the corresponding event function. Through the document.write(“L”) function to rewrite html in the corresponding event function be called. Thereby lead IE call CHTMLEditor::DeleteCommandTarget to release the original applied object of CMshtmlEd, and then cause triggered the used-after-free vulnerability when behind execute the msheml!CMshtmlEd::Exec() function,...

From H-Online:

In the blog post, Yunsun Wee, Trustworthy Computing Director at Microsoft, says that the company has only seen "a few attempts to exploit the issue", and that only "an extremely limited number of people" have been affected. However, the company neglects to mention that a module for the Metasploit attack framework; this allows almost anyone to exploit the vulnerability for their own ends.

Microsoft also continues to omit the simplest protection against attacks via the IE hole – to use an alternative browser such as Firefox or Google Chrome.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 edit

1 recommendation

reply to StuartMW

The MS Fix It is available:
»support.microsoft.com/kb/2757760
Please see my revised comment to NICK ADSL UK See Profile
Here: • »Microsoft Security Advisory (2757760)