dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

reply to redwolfe_98

Re: IE Zero-Day


Microsoft Security Advisory (2794220)

Vulnerability in Internet Explorer Could Allow Remote Code Execution
| Updated: Monday, December 31, 2012

Microsoft Fix it solution, "MSHTML Shim Workaround", that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2794220 to use the automated Microsoft Fix it solution to enable or disable this workaround.

Here it is : Fix it for me - FixIt Solution



Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

said by chachazz:

Microsoft Security Advisory (2794220)

Vulnerability in Internet Explorer Could Allow Remote Code Execution
| Updated: Monday, December 31, 2012

Microsoft Fix it solution, "MSHTML Shim Workaround", that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2794220 to use the automated Microsoft Fix it solution to enable or disable this workaround.

Here it is : Fix it for me - FixIt Solution

Thanks for posting the fix-it solution chachazz See Profile however it seems that security firm Exodus Intelligence has managed to bypass the fix and compromise a fully-patched system...

Info here: »blog.exodusintel.com/2013/01/04/···12-4792/
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

The Krebs Article that redwolfe_98 See Profile originally posted has the FixIt



Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

2 recommendations

said by siljaline :
Some slight duplication of effort never hurt anybody. Better than no information • voila


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

reply to Smokey Bear

said by Smokey Bear:


Thanks for posting the fix-it solution chachazz See Profile however it seems that security firm Exodus Intelligence has managed to bypass the fix and compromise a fully-patched system...

Info here: »blog.exodusintel.com/2013/01/04/···12-4792/

Absolutely essential info. Thank you very much Smokey Bear See Profile. Microsoft should be burning the midnight oil over this one.
quote:
After posting our analysis of the current 0day in Internet Explorer which was used in a watering hole style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability.

After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week.

We have included details on the bypass to customers of our intelligence feeds and will notify Microsoft of the issue. In practice with coordinated vulnerability disclosure, we intend to update this post with details when Microsoft has addressed the problematic patch.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to Smokey Bear

Researchers Bypass Microsoft Fixit for IE Zero Day



chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

reply to Smokey Bear

SANS Internet Storm Center Diary
quote:

"FixIt" Patch for CVE-2012-4792 Bypassed
Published: 2013-01-04,
Last Updated: 2013-01-04 23:36:34 UTC
by Guy Bruneau (Version: 1)

On the 1 Jan 2013, Johannes posted a diary on a Microsoft FixIt made available for IE as a way of mitigating the CVE-2012-4792 zero day attack. Researchers at Exodus Intelligence reported today they have developed a new attack that bypasses the FixIt issued by Microsoft. They were able to bypass and compromised a fully-patched system using some variation of the exploit published this week.

You might want to take a second look at the diary published this week that is using EMET 3.5 as another tool to help defend your Windows systems against various attacks.

[1] »isc.sans.edu/diary.html?storyid=14788
[2] »blog.exodusintel.com/2013/01/04/···12-4792/
[3] »isc.sans.edu/diary.html?storyid=14797

-----------
»isc.sans.edu/diary.html?storyid=14824&rss=


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

said by chachazz:
You might want to take a second look at the diary published this week that is using EMET 3.5 as another tool to help defend your Windows systems against various attacks.

[3] »isc.sans.edu/diary.html?storyid=14797
Thanks chachazz See Profile, valuable info in your post. The use of EMET is highly recommendable and SANS explains very well.
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron.


DevilFrank

join:2003-07-13
Reviews:
·T-Com

said by Smokey Bear:

said by chachazz:
You might want to take a second look at the diary published this week that is using EMET 3.5 as another tool to help defend your Windows systems against various attacks.

[3] »isc.sans.edu/diary.html?storyid=14797
Thanks chachazz See Profile, valuable info in your post. The use of EMET is highly recommendable and SANS explains very well.

But will it work on W8 properly? Can´t find a version for it.
--
Regards from Germany. Please excuse my stumbling English


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

According to MS, EMET will not work with W8.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

W8 has EMET (under another name?) built-in. Besides W8 comes with IE10 which isn't vulnerable.



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

EMET does indeed work with Windows 8. I have it protecting Firefox on my Windows 8 installation.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by trparky:

EMET does indeed work with Windows 8.

That wasn't my point BTW. I thought W8 included some version of EMET out of the box.
--
Don't feed trolls--it only makes them grow!


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

Maybe, I don't know.



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

ASLR and exploit mitigations
Address Space Layout Randomization (ASLR) was introduced in Windows Vista and is essentially a technique to mitigate the infamous “Buffer Overrun” vulnerabilities by randomly moving the location of code and data in memory. In Windows 8 randomization is increased in order to foil known techniques for bypassing ASLR. Other mitigations include changes to the Windows kernel and heap, including new integrity checks and randomization using a similar approach to ASLR. Internet Explorer 10 will also benefit from these changes: besides including an “Enhanced Protected Mode” sandbox, there will be a “ForceASLR” option in IE10 that can randomize all modules loaded into memory by the browser, regardless if those modules did not opt in to use ASLR protection (developers can create modules that take advantage of ASLR protection by using the optional /DYNAMICBASE flag).

EMET provides much more than that.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

Well regardless XP/Vista/Win7 users would be well served by installing/configuring it. Win8 I'm not sure.
--
Don't feed trolls--it only makes them grow!



chachazz
Premium
join:2003-12-14
kudos:9
reply to trparky

Internet Explorer 9 and 10 are not vulnerable to this exploit.


slajoh01

join:2005-04-23

Where I work, we still use IE 8. What should companies urge to do in the meantime while MS decides to roll up the patch for this?

We cannot upgrade to IE 9 or 10.

And also, we not allowed to use Firefox and other browsers either.

The workarounds explained on the MS site, is to extend the Internet/Intranet Security zones to HIGH, and thats no good for the users because IE is then worthless to use....unless adding those sites in the Trusted Zones.

And also, even though if MS decides to roll out the patch on Tuesday, our IT department has to still then delay the patch deployment for about a week in order to test it with our applications.

So what should companies like this do in this case if this is a huge exploit???



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

EMET would be the best bet in that kind of situation.

Expand your moderator at work