dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4945
share rss forum feed


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to Lagz

Re: IE Zero-Day

Thanks for the link. IIRC, gadgets and sidebar are long gone by way of extenuating issues on both for a good while.

The exploit although there is a FixIt, the exploit is well explained here.



Lagz
Premium
join:2000-09-03
The Rock
reply to siljaline

said by siljaline:

Happy New Year
Define sidebar Do you mean Gadgets

»windows.microsoft.com/en-US/wind···overview
--
When somebody tells you nothing is impossible, ask him to dribble a football.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to Cartel

Happy New Year
Define sidebar Do you mean Gadgets



Lagz
Premium
join:2000-09-03
The Rock

2 edits
reply to trparky

said by trparky:

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.

I wonder if flash or IE uses standard exception handlers or do they write their own? My instructor in C# told us to write our own exception handling when possible rather than throw standard exceptions, this might be why. When I was first introduced to exceptions I was like, HELL YEA I don't have to write as much code now. We had been writing our own exception handling up to that point. I wonder if they are just throwing standard exceptions if that's a result from laziness or management hurriedly wanting code pushed out the door?
--
When somebody tells you nothing is impossible, ask him to dribble a football.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to Blackbird

said by Blackbird:

...I finally took my Win98FE/KernelEx system off-line a couple of years ago (though I still run it at times as an isolated system for a few pieces of legacy software on it that I occasionally need).

You can probably image it's HD(s) and run it as a Virtual Machine (VM). Then you'd have an anchor for a (small) boat

I have a bunch of VM's, including some of old hardware, and use them from time to time.

The good thing about VM's is that their HD(s) are just (VHD) files. Easily backed up and copied if you want to try/test something without messing up the original. I quite often test things in VM's.
--
Don't feed trolls--it only makes them grow!


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to goalieskates

said by goalieskates:

... If somebody doesn't want to go to a higher version browser and can live with Win98 or WinXP, more power to them.

That is the challenge, though... living with them. In the case of Win98, not only can't one find secure browsers that will run under the OS, they can't even find current anti-malware software that will run. Nearly all of what one finds that will run (if they look really hard) is outdated ("vintage") and riddled with bugs or security holes. The only thing in one's favor is that the number of exploits targeting your OS is slowly declining - especially new zero-days. It's the main reason I finally took my Win98FE/KernelEx system off-line a couple of years ago (though I still run it at times as an isolated system for a few pieces of legacy software on it that I occasionally need).
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to goalieskates

Win 3.1 and IE 3.01 forever!



goalieskates
Premium
join:2004-09-12
land of big
reply to Dustyn

said by Dustyn:

People using Internet Explorer 9-10 are not impacted... So in this instance, newer is better. However, I'm only referencing this particular vulnerability. For Microsoft to also patch IE6 is a step backwards from their own abandon IE6 campaign.

It is, but the whole campaign is silly anyway. As long as the newer versions of IE are up to snuff, it really doesn't matter what other people choose to run. More to the point, people who run IE6 haven't upgraded their Windows, either - which hurts revenue and is really what that's all about.

We went to the moon without benefit of IE and Windows. If somebody doesn't want to go to a higher version browser and can live with Win98 or WinXP, more power to them.


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

1 edit

1 recommendation

reply to goalieskates

said by goalieskates:

said by Dustyn:

Who the hell cares if IE6 is vulnerable?
Microsoft has to stop patching IE6 or people will continue to use it.
»www.ie6countdown.com/

And the newer versions aren't?

People using Internet Explorer 9-10 are not impacted... So in this instance, newer is better. However, I'm only referencing this particular vulnerability. For Microsoft to also patch IE6 is a step backwards from their own abandon IE6 campaign.
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

1 recommendation

reply to siljaline

said by siljaline:

MS FixIt available at this MS KB.
»support.microsoft.com/kb/2794220

I'm surprised it didn't say to disable Internet Explorer along with the Sidebar.


goalieskates
Premium
join:2004-09-12
land of big

1 recommendation

reply to Dustyn

said by Dustyn:

Who the hell cares if IE6 is vulnerable?
Microsoft has to stop patching IE6 or people will continue to use it.
»www.ie6countdown.com/

And the newer versions aren't? The more complex things become, the more vulnerable they are. Anyone who's actually worked in coding knows that.

You may like the newer versions, you may like their new functionality, but that doesn't automatically mean they're safer. They have problems and attack vectors IE6 never even dreamed of. Let's not confuse programming reality with marketing.


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

reply to redwolfe_98

Fix it here, fix it there, fix it everywhere



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 edit
reply to StuartMW

You're welcome.
From: »blogs.technet.com/b/srd/archive/···ers.aspx
Update December 31: Fix It tool is available.
»support.microsoft.com/kb/2794220



chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

reply to redwolfe_98


Microsoft Security Advisory (2794220)

Vulnerability in Internet Explorer Could Allow Remote Code Execution
| Updated: Monday, December 31, 2012

Microsoft Fix it solution, "MSHTML Shim Workaround", that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2794220 to use the automated Microsoft Fix it solution to enable or disable this workaround.

Here it is : Fix it for me - FixIt Solution



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to siljaline

Got it--thanks.

Of course it won't fix IE6 on a Win2K system Did IE8 on WinXP SP3 fine though.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to redwolfe_98

MS FixIt available at this MS KB.
»support.microsoft.com/kb/2794220



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to trparky

said by trparky:

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack.

...

All of which EMET helps guard a program against.

That is my understanding as well.
--
Don't feed trolls--it only makes them grow!


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
reply to trparky

Many of Microsoft's newer programs have these exploit protections baked into the compiled code of the program. But, this only happens with programs that have been compiled with recent versions of the Microsoft Visual C++ Compiler.

My guess is that Internet Explorer 9 and 10, which aren't vulnerable, have been compiled with Visual C++ 2010 or newer and the older versions are still being compiled with pre-2010 C++ compiler thus not having the protections baked into the compiled code.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
reply to trparky

There's something called Structured Exception Handling Overwrite Protection or SEHOP. It does this by preventing attackers from being able to use the SEH overwrite technique by verifying that the thread’s exception handler list is intact before allowing any of the registered exception handlers to be called or executed. This mitigation technique is made possible by a side-effect of overwriting the SEH. The side-effect is that the pointer in the program’s memory stack is corrupted in the process of overwriting the SEH, thus the integrity of the exception handling chain is broken.

An Exception Handler is anything that may include the use of TRY, CATCH, and FINALLY.

I did a presentation on various exploit techniques for my end of class project for my CompTIA Security+ prep class. I covered the use of EMET extensively so I had to actually do some research into how many of these attacks work on a basic level.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

reply to siljaline

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to trparky

I'm not big on code, trparky See Profile When I was an IE MVP, I could have asked the IE Team at MS. I no longer have that option accessible to me.

What we have in this thread is the latest information.

I suspect we will know more in the forthcoming days if MS will issue an out-of-band patch or perhaps a FixIt.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to trparky

said by trparky:

Not to sound like an idiot, but wouldn't referencing an object after it's been removed or freed up (made null) cause a Null Reference Exception?

I haven't looked into it in any detail but apparently there's some rather clever techniques that can be used to access deallocated memory. Take a look at the EMET manual as it has basic explanations of some common tricks.
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Juggernaut

+1



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

2 recommendations

reply to redwolfe_98

The only thing I use IE for is DL'ing Win updates.



mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter

1 recommendation

reply to trparky

said by trparky:

said by EGeezer:

What's this "Internet Explorer" people are speaking of?

It's that other browser you use to download Firefox or Google Chrome with.

LMAO, My side hurts


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to EGeezer

You might know it as Internet Exploder



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

reply to EGeezer

said by EGeezer:

What's this "Internet Explorer" people are speaking of?

It's that other browser you use to download Firefox or Google Chrome with.


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8

1 recommendation

reply to StuartMW

What's this "Internet Explorer" people are speaking of?



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to silentlooker

said by silentlooker :

I still use ie 5 and extremely happy.

Awesome.
The advisery does not discuss IE5.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to La Luna

Well if you're "lucky" you're probably "happy" too

Probably not many bad guys targeting IE5 any more.
--
Don't feed trolls--it only makes them grow!