Topic 'Re: IE Zero-Day' in forum 'Security' - dslreports.com

Re: IE Zero-Day

Sun, 13 Jan 2013 19:06:51 EDT

StuartMW posted : IE is being patched Mon Jan 14th

»Microsoft Security Bulletin Advance Notification for 14th!
--
Don't feed trolls--it only makes them grow!

Re: IE Zero-Day

Wed, 09 Jan 2013 20:01:02 EDT

antdude posted :

said by Blackbird:

As with all software patches, from all sources, they'll roll out a patch when and if they're ready. First they have to determine the scope of the causal factors, then find fixes that don't break things, then test against all manner of system setups. Each step takes time to be done properly, and little can be accomplished by trying to do the steps in parallel.

Yep, don't rush them. We don't want a buggy release.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

Re: IE Zero-Day

Wed, 09 Jan 2013 15:29:34 EDT

Blackbird posted : As with all software patches, from all sources, they'll roll out a patch when and if they're ready. First they have to determine the scope of the causal factors, then find fixes that don't break things, then test against all manner of system setups. Each step takes time to be done properly, and little can be accomplished by trying to do the steps in parallel.
--
�The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.� A. de Tocqueville

Re: IE Zero-Day

Wed, 09 Jan 2013 13:28:23 EDT

slajoh01 posted : Will MS ever roll out this patch in the near future for IE 8?

Thanks!!!

Re: IE Zero-Day

Wed, 09 Jan 2013 13:12:18 EDT

Oleg posted : Just checked Windows Updates, and 9 security updates were listed.

Re: IE Zero-Day

Wed, 09 Jan 2013 11:07:25 EDT

therube posted : "... Even though a security company has revealed that it had managed to bypass Microsoft’s one-click “Fix it” solution for Internet Explorer 8 and older, the Redmond-based software firm says that users are fully protected if they deploy the patch.

“We’ve reviewed the information and are working on an update, which we will make available to all customers on IE6-8 as soon as it is ready for distribution,” said Dustin Childs, group manager, Microsoft Trustworthy Computing, according to ThreatPost.

“In the meantime, the current Fix it, mitigations and workarounds available in Security Advisory 2794220 fully protect against all known active attacks. We also continue to encourage customers to upgrade their browsers to IE9-10, which are not affected by this issue.”

While Internet Explorer 9 and Internet Explorer 10 are not affected by the issue, security vendors across the globe are confirming that more websites have been compromised in order to exploit the flaw.

“The whole point of the waterhole tactic is that they believe such sites, although usually not with high numbers of users, will have interesting visitors,” said Jindrich Kubec, Avast Virus Lab’s director of Threat Intelligence. “At least two of the sites use the same spyware binary with exactly same configuration. The rest look a bit different, but we haven’t investigated it thoroughly yet.”..."

»news.softpedia.com/news/Microsof···47.shtml

Re: IE Zero-Day

Tue, 08 Jan 2013 10:23:03 EDT

trparky posted : EMET would be the best bet in that kind of situation.

Re: IE Zero-Day

Tue, 08 Jan 2013 00:37:13 EDT

slajoh01 posted : Where I work, we still use IE 8. What should companies urge to do in the meantime while MS decides to roll up the patch for this?

We cannot upgrade to IE 9 or 10.

And also, we not allowed to use Firefox and other browsers either.

The workarounds explained on the MS site, is to extend the Internet/Intranet Security zones to HIGH, and thats no good for the users because IE is then worthless to use....unless adding those sites in the Trusted Zones.

And also, even though if MS decides to roll out the patch on Tuesday, our IT department has to still then delay the patch deployment for about a week in order to test it with our applications.

So what should companies like this do in this case if this is a huge exploit???

Re: IE Zero-Day

Mon, 07 Jan 2013 14:52:55 EDT

chachazz posted : Internet Explorer 9 and 10 are not vulnerable to this exploit.

Re: IE Zero-Day

Mon, 07 Jan 2013 14:47:26 EDT

chachazz posted : Internet Explorer zero-day exploit found on more websites.
»nakedsecurity.sophos.com/2013/01···ebsites/

Re: IE Zero-Day

Mon, 07 Jan 2013 14:45:53 EDT

StuartMW posted : Well regardless XP/Vista/Win7 users would be well served by installing/configuring it. Win8 I'm not sure.
--
Don't feed trolls--it only makes them grow!

Re: IE Zero-Day

Mon, 07 Jan 2013 14:42:39 EDT

trparky posted : ASLR and exploit mitigations
Address Space Layout Randomization (ASLR) was introduced in Windows Vista and is essentially a technique to mitigate the infamous “Buffer Overrun” vulnerabilities by randomly moving the location of code and data in memory. In Windows 8 randomization is increased in order to foil known techniques for bypassing ASLR. Other mitigations include changes to the Windows kernel and heap, including new integrity checks and randomization using a similar approach to ASLR. Internet Explorer 10 will also benefit from these changes: besides including an “Enhanced Protected Mode” sandbox, there will be a “ForceASLR” option in IE10 that can randomize all modules loaded into memory by the browser, regardless if those modules did not opt in to use ASLR protection (developers can create modules that take advantage of ASLR protection by using the optional /DYNAMICBASE flag).

EMET provides much more than that.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)

Re: IE Zero-Day

Mon, 07 Jan 2013 14:30:05 EDT

trparky posted : Maybe, I don't know.

Re: IE Zero-Day

Mon, 07 Jan 2013 14:22:32 EDT

StuartMW posted :

said by trparky:

EMET does indeed work with Windows 8.

That wasn't my point BTW. I thought W8 included some version of EMET out of the box.
--
Don't feed trolls--it only makes them grow!

Re: IE Zero-Day

Mon, 07 Jan 2013 14:07:06 EDT

trparky posted : EMET does indeed work with Windows 8. I have it protecting Firefox on my Windows 8 installation.

Re: IE Zero-Day

Mon, 07 Jan 2013 13:06:46 EDT

chachazz posted :

said by daveinpoway:

A security researcher has found a way to bypass Microsoft's temporary "fix"n

Info posted by Smokey Bear (on page 2)
»Re: IE Zero-Day

Re: IE Zero-Day

Mon, 07 Jan 2013 12:35:44 EDT

daveinpoway posted : A security researcher has found a way to bypass Microsoft's temporary "fix":»www.computerworld.com/s/article/···13-01-07

Re: IE Zero-Day

Mon, 07 Jan 2013 02:11:47 EDT

antdude posted :

said by StuartMW:

said by antdude:

It could be one of those out of the bound (OOTB) releases.

I think you mean Out Of Band :p

Out Of Bounds is usually sports related :D

DOH! You're right. Dang sports.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

Re: IE Zero-Day

Sat, 05 Jan 2013 12:35:59 EDT

slajoh01 posted : And do people or users know if they have been attacked from this exploit? What are the signs and symtoms?

Ok, then let me ask this to everyone.
For those of u here who have always have been a fan of IE or has or is still using IE as their main browser, are u considering to use another browser?

The reason I like IE, because I can lock it down using the Group Policy editor. Firefox does not have this kind of "granular" control.
And thats perhaps one of the reasons why System Admins prefer to use IE at most companies.

Until MS rolls out this fix or patch, I will use FF instead....in the meantime.

Re: IE Zero-Day

Sat, 05 Jan 2013 12:21:42 EDT

Oleg posted : Exactly. There is no point of upgrading to IE 9 or 10. Thing is a lot of companies have a crazy policy that does not allow to go with any other browser, but freaking IE.

Re: IE Zero-Day

Sat, 05 Jan 2013 11:56:19 EDT

slajoh01 posted : Why do large corporations still use IE as their main browser instead of using Firefox or Chrome if IE is that bad?

Also, If MS is not rolling out the patch on Tues, then we have two options basically. Use another browser, or upgrade to IE 9 and 10.

I am not upgrading to 9 or 10. They will have security flaws anyway...Im seriously thinking about using FF as my main browser. Im thinking of it very very much.

How about the rest of you? Are u guys willing to move to a different browser after this mess?

Re: IE Zero-Day

Sat, 05 Jan 2013 11:46:18 EDT

trparky posted : Then Microsoft is wrong, I have EMET working on Windows 8 just fine.

Re: IE Zero-Day

Sat, 05 Jan 2013 09:02:42 EDT

StuartMW posted :

said by antdude:

It could be one of those out of the bound (OOTB) releases.

I think you mean Out Of Band :p

Out Of Bounds is usually sports related :D
--
Don't feed trolls--it only makes them grow!

Re: IE Zero-Day

Sat, 05 Jan 2013 08:43:07 EDT

StuartMW posted : W8 has EMET (under another name?) built-in. Besides W8 comes with IE10 which isn't vulnerable.

Re: IE Zero-Day

Sat, 05 Jan 2013 06:36:37 EDT

Smokey Bear posted : According to MS, EMET will not work with W8.

Re: IE Zero-Day

Sat, 05 Jan 2013 04:47:40 EDT

DevilFrank posted :

said by Smokey Bear:

said by chachazz:
You might want to take a second look at the diary published this week that is using EMET 3.5 as another tool to help defend your Windows systems against various attacks.

[3] »isc.sans.edu/diary.html?storyid=14797

Thanks chachazz , valuable info in your post. The use of EMET is highly recommendable and SANS explains very well.

But will it work on W8 properly? Can�t find a version for it.
--
Regards from Germany. Please excuse my stumbling English

Re: IE Zero-Day

Sat, 05 Jan 2013 03:34:53 EDT

Smokey Bear posted :

said by chachazz:
You might want to take a second look at the diary published this week that is using EMET 3.5 as another tool to help defend your Windows systems against various attacks.

[3] »isc.sans.edu/diary.html?storyid=14797

Thanks chachazz , valuable info in your post. The use of EMET is highly recommendable and SANS explains very well.
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone�s going to think you�re a moron.

Re: IE Zero-Day

Sat, 05 Jan 2013 02:25:51 EDT

slajoh01 posted : I dont get it....Why do large corporations still use IE as their main browser instead of using Firefox or Chrome if IE is that bad?

Re: IE Zero-Day

Fri, 04 Jan 2013 21:05:16 EDT

antdude posted :

said by therube:

Symantec Finds the Hackers Behind Microsoft’s Latest Zero-Day Flaw

Microsoft Won’t Patch Critical IE Flaw on Tuesday

(This coming Tuesday, that is.)

It could be one of those out of the bound (OOTB) releases.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

Re: IE Zero-Day

Fri, 04 Jan 2013 20:17:00 EDT

chachazz posted : SANS Internet Storm Center Diary

quote:

"FixIt" Patch for CVE-2012-4792 Bypassed
Published: 2013-01-04,
Last Updated: 2013-01-04 23:36:34 UTC
by Guy Bruneau (Version: 1)

On the 1 Jan 2013, Johannes posted a diary on a Microsoft FixIt made available for IE as a way of mitigating the CVE-2012-4792 zero day attack. Researchers at Exodus Intelligence reported today they have developed a new attack that bypasses the FixIt issued by Microsoft. They were able to bypass and compromised a fully-patched system using some variation of the exploit published this week.

You might want to take a second look at the diary published this week that is using EMET 3.5 as another tool to help defend your Windows systems against various attacks.

[1] »isc.sans.edu/diary.html?storyid=14788
[2] »blog.exodusintel.com/2013/01/04/···12-4792/
[3] »isc.sans.edu/diary.html?storyid=14797

-----------

»isc.sans.edu/diary.html?storyid=14824&rss=

Re: IE Zero-Day

Fri, 04 Jan 2013 18:55:19 EDT

siljaline posted : Researchers Bypass Microsoft Fixit for IE Zero Day :D

Re: IE Zero-Day

Fri, 04 Jan 2013 16:05:20 EDT

chachazz posted :

said by Smokey Bear:

Absolutely essential info. Thank you very much Smokey Bear . Microsoft should be burning the midnight oil over this one.

quote:
After posting our analysis of the current 0day in Internet Explorer which was used in a “watering hole” style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability.

After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week.

We have included details on the bypass to customers of our intelligence feeds and will notify Microsoft of the issue. In practice with coordinated vulnerability disclosure, we intend to update this post with details when Microsoft has addressed the problematic patch.

Re: IE Zero-Day

Fri, 04 Jan 2013 16:00:40 EDT

Smokey Bear posted :

said by siljaline :
Some slight duplication of effort never hurt anybody. Better than no information • voila

Re: IE Zero-Day

Fri, 04 Jan 2013 15:49:04 EDT

siljaline posted : The Krebs Article that redwolfe_98 originally posted has the FixIt :D

Re: IE Zero-Day

Fri, 04 Jan 2013 15:22:15 EDT

Smokey Bear posted :

said by chachazz:

Microsoft Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
| Updated: Monday, December 31, 2012

Microsoft Fix it solution, "MSHTML Shim Workaround", that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2794220 to use the automated Microsoft Fix it solution to enable or disable this workaround.

Here it is : Fix it for me - FixIt Solution

Thanks for posting the fix-it solution chachazz however it seems that security firm Exodus Intelligence has managed to bypass the fix and compromise a fully-patched system...

Info here: »blog.exodusintel.com/2013/01/04/···12-4792/
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone�s going to think you�re a moron.

Re: IE Zero-Day

Fri, 04 Jan 2013 10:58:28 EDT

therube posted : Symantec Finds the Hackers Behind Microsoft’s Latest Zero-Day Flaw

Microsoft Won’t Patch Critical IE Flaw on Tuesday

(This coming Tuesday, that is.)

Re: IE Zero-Day

Thu, 03 Jan 2013 19:57:56 EDT

Oleg posted :

said by siljaline:

said by Oleg:

Microsoft did it again :p

Did what again or are you just poking fun :p

screwed up again, in security and stability field unlike other software development companies, like Mozilla,Opera in browser industry. Microsoft did not just have one or two stability or security issues.

Re: IE Zero-Day

Thu, 03 Jan 2013 19:24:33 EDT

siljaline posted :

said by Oleg:

Microsoft did it again :p

Did what again or are you just poking fun :p

Re: IE Zero-Day

Wed, 02 Jan 2013 23:53:04 EDT

Oleg posted : Microsoft did it again :p

Re: IE Zero-Day

Wed, 02 Jan 2013 19:54:05 EDT

siljaline posted : Thanks for the link. IIRC, gadgets and sidebar are long gone by way of extenuating issues on both for a good while.

The exploit although there is a FixIt, the exploit is well explained here.

Re: IE Zero-Day

Tue, 01 Jan 2013 19:17:03 EDT

Lagz posted :

said by siljaline:

Happy New Year
Define sidebar :) Do you mean Gadgets

»windows.microsoft.com/en-US/wind···overview
--
When somebody tells you nothing is impossible, ask him to dribble a football.

Re: IE Zero-Day

Tue, 01 Jan 2013 18:51:27 EDT

siljaline posted : Happy New Year
Define sidebar :) Do you mean Gadgets

Re: IE Zero-Day

Tue, 01 Jan 2013 16:19:56 EDT

Lagz posted :

said by trparky:

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.

I wonder if flash or IE uses standard exception handlers or do they write their own? My instructor in C# told us to write our own exception handling when possible rather than throw standard exceptions, this might be why. When I was first introduced to exceptions I was like, HELL YEA I don't have to write as much code now. We had been writing our own exception handling up to that point. I wonder if they are just throwing standard exceptions if that's a result from laziness or management hurriedly wanting code pushed out the door?
--
When somebody tells you nothing is impossible, ask him to dribble a football.

Re: IE Zero-Day

Tue, 01 Jan 2013 11:20:24 EDT

StuartMW posted :

said by Blackbird:

...I finally took my Win98FE/KernelEx system off-line a couple of years ago (though I still run it at times as an isolated system for a few pieces of legacy software on it that I occasionally need).

You can probably image it's HD(s) and run it as a Virtual Machine (VM). Then you'd have an anchor for a (small) boat :D

I have a bunch of VM's, including some of old hardware, and use them from time to time.

The good thing about VM's is that their HD(s) are just (VHD) files. Easily backed up and copied if you want to try/test something without messing up the original. I quite often test things in VM's.
--
Don't feed trolls--it only makes them grow!

Re: IE Zero-Day

Tue, 01 Jan 2013 10:23:13 EDT

Blackbird posted :

said by goalieskates:

... If somebody doesn't want to go to a higher version browser and can live with Win98 or WinXP, more power to them.

That is the challenge, though... living with them. In the case of Win98, not only can't one find secure browsers that will run under the OS, they can't even find current anti-malware software that will run. Nearly all of what one finds that will run (if they look really hard) is outdated ("vintage") and riddled with bugs or security holes. The only thing in one's favor is that the number of exploits targeting your OS is slowly declining - especially new zero-days. It's the main reason I finally took my Win98FE/KernelEx system off-line a couple of years ago (though I still run it at times as an isolated system for a few pieces of legacy software on it that I occasionally need).
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Re: IE Zero-Day

Tue, 01 Jan 2013 08:30:16 EDT

StuartMW posted : Win 3.1 and IE 3.01 forever! :D

Re: IE Zero-Day

Tue, 01 Jan 2013 08:28:46 EDT

goalieskates posted :

said by Dustyn:

It is, but the whole campaign is silly anyway. As long as the newer versions of IE are up to snuff, it really doesn't matter what other people choose to run. More to the point, people who run IE6 haven't upgraded their Windows, either - which hurts revenue and is really what that's all about.

We went to the moon without benefit of IE and Windows. If somebody doesn't want to go to a higher version browser and can live with Win98 or WinXP, more power to them.

Re: IE Zero-Day

Mon, 31 Dec 2012 20:28:14 EDT

Dustyn posted :

said by goalieskates:

said by Dustyn:

Who the hell cares if IE6 is vulnerable?
Microsoft has to stop patching IE6 or people will continue to use it.
»www.ie6countdown.com/

And the newer versions aren't?

People using Internet Explorer 9-10 are not impacted... So in this instance, newer is better. However, I'm only referencing this particular vulnerability. For Microsoft to also patch IE6 is a step backwards from their own abandon IE6 campaign.
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP

Re: IE Zero-Day

Mon, 31 Dec 2012 20:21:37 EDT

Sindows 7 posted :

said by siljaline:

MS FixIt available at this MS KB.
»support.microsoft.com/kb/2794220

I'm surprised it didn't say to disable Internet Explorer along with the Sidebar.