Broadband Tech > Security > Security > IE Zero-Day

reply to silentlooker

Re: IE Zero-Day

Well if you're "lucky" you're probably "happy" too

Probably not many bad guys targeting IE5 any more.
--
Don't feed trolls--it only makes them grow!

reply to silentlooker

reply to StuartMW
What's this "Internet Explorer" people are speaking of?

reply to EGeezer
You might know it as Internet Exploder

reply to trparky

said by trparky:

said by EGeezer:

What's this "Internet Explorer" people are speaking of?

It's that other browser you use to download Firefox or Google Chrome with.

reply to redwolfe_98
The only thing I use IE for is DL'ing Win updates.

+1

reply to trparky

reply to trparky
I'm not big on code, trparky When I was an IE MVP, I could have asked the IE Team at MS. I no longer have that option accessible to me.

What we have in this thread is the latest information.

I suspect we will know more in the forthcoming days if MS will issue an out-of-band patch or perhaps a FixIt.

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)

There's something called Structured Exception Handling Overwrite Protection or SEHOP. It does this by preventing attackers from being able to use the SEH overwrite technique by verifying that the thread’s exception handler list is intact before allowing any of the registered exception handlers to be called or executed. This mitigation technique is made possible by a side-effect of overwriting the SEH. The side-effect is that the pointer in the program’s memory stack is corrupted in the process of overwriting the SEH, thus the integrity of the exception handling chain is broken.

An Exception Handler is anything that may include the use of TRY, CATCH, and FINALLY.

I did a presentation on various exploit techniques for my end of class project for my CompTIA Security+ prep class. I covered the use of EMET extensively so I had to actually do some research into how many of these attacks work on a basic level.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)

Many of Microsoft's newer programs have these exploit protections baked into the compiled code of the program. But, this only happens with programs that have been compiled with recent versions of the Microsoft Visual C++ Compiler.

My guess is that Internet Explorer 9 and 10, which aren't vulnerable, have been compiled with Visual C++ 2010 or newer and the older versions are still being compiled with pre-2010 C++ compiler thus not having the protections baked into the compiled code.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)

reply to trparky

reply to redwolfe_98
MS FixIt available at this MS KB.
»support.microsoft.com/kb/2794220

Got it--thanks.

Of course it won't fix IE6 on a Win2K system Did IE8 on WinXP SP3 fine though.

reply to redwolfe_98

Microsoft Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
| Updated: Monday, December 31, 2012

Microsoft Fix it solution, "MSHTML Shim Workaround", that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2794220 to use the automated Microsoft Fix it solution to enable or disable this workaround.

Here it is : Fix it for me - FixIt Solution

reply to StuartMW
You're welcome.
From: »blogs.technet.com/b/srd/archive/···ers.aspx
Update December 31: Fix It tool is available.
»support.microsoft.com/kb/2794220

reply to redwolfe_98
Fix it here, fix it there, fix it everywhere