mysec
Premium
join:2005-11-29
1 edit | Do You Trust Your Browser...
...to protect you from all malicious web sites? What about Remote Code Execution, aka, Drive-by download?
I use Opera, and would have to answer with a resounding "No."
While exploits for Opera and Firefox are not so common, the recent vulnerability for Firefox, for example, shows a greater sophistication in its capabilities and possibilities for remote code execution.
----------------------------
EDIT: This from isc.sans.org 12/10: "[Mozilla's] results match our testing, that we were able to make it take a long time for Firefox to start, but were not able to make it crash. Further, there doesn't seem to be any credible evidence at this time that this could be exploited to execute arbitrary code."
----------------------------
With the new and still yet unpatched vulnerability for IE making news, I remembered a malicious web site using Remote Code Execution. It was mentioned in another forum earlier this year, where people were trying it out to test their protection programs. It supposedly doesn't work on WinXP SP2, but if you are set up for testing with IE, you might try it to see if the page will run the exploit, and then see if what protection you have behind the browser blocks it. Some people confirmed that KAV blocked; I did it with Anti-Executable. Some were dismayed that their protection did not pick up the trojan download.
Here is demonstration of the exploit
Again, while it is an old exploit, it does demonstrate Remote Code Execution, and is enough proof for me that it's a false sense of security to think the browser alone is secure protection from a malicious web site. Several recent occurrences of Spy Sheriff suddenly appearing on users' screen is proof.
If someone just starting out in computing asked for your help in setting things up in a home system, how would you protect against possible Remote Code Execution (unwanted downloads)? |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
 ·Comcast
| I don't trust Jack! Not my browser(s), not my OS, not *any* websites, no software, nothing!  
Not even myself from doing something that may possibly hose the system!
I do what I can to make sure I have a semi-pleasant online experience.
Typed in Opera, if it matters.
--
Think outside the Fox... Opera |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | reply to mysec
No, which is why I run with lower privileges.
Here's a demo given the exploit site. The attack was wholly unsuccessful under non-admin even without the patch:
XP SP1 unpatched, Non-Admin, Defaults
However the same cannot be said of the Administrator account:
XP SP1 unpatched, Admin, Defaults
(For those that are wondering, there is no need to reinstall Windows because I enabled the Undo Disk so there is absolutely no need to reinstall Windows when it gets hosed. Just delete Undo Disk changes.)
And here are some new entries:
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker011.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb011.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb011.dll
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O20 - Winlogon Notify: st3 - C:\WINDOWS\q245843.dll
O23 - Service: Windows Service Manager - Unknown owner - C:\WINDOWS\System32\service.exe
Many say in a negative way that malware is dictating the way they use their computer. I say to each their own, but it is common sense. For example, earlier this week I did an experiment with Apache HTTP server under Windows. I purposely picked a vulnerable version (1.3.24). I ran it under the default account (LocalSystem or SYSTEM). I was able to exploit it and gain complete access to the system thru telnet. I added users to Administrators, deleted files, basically f*%ked it up. Then I ran it under LocalService, and gave it read privileges to the apache folder and write privileges to the logs folder (required so it would even start). I could do absolutely nothing to damage or alter the system.
--
Open Source -> Closed Minded.Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
mysec
Premium
join:2005-11-29
| First time I've actually *seen* a malware demo showing admin vs non-admin.
The three blank frames on the page are loaded from the iframe tags on the blank main page. These are the pages that download the nasty stuff.
---------------------
iframe src="./exp_4/index.htm" width=40 height=40>/iframe
iframe src="./exp_sp6/index.htm" width=40 height=40>/iframe
iframe src="./exp_3/index.htm" width=40 height=40>/iframe
---------------------
The four cvx* files that show in your task mgr are created from service.exe which is installed in \system32. The last one in the list is the workhorse that keeps downloading stuff. You see it's working in the cpu column.
Can you explain what your "undo disk" is? |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| said by mysec  :Can you explain what your "undo disk" is? Undo Disks is a feature that saves changes to a virtual machine's data and configuration in a separate undo disk file in case I want to reverse the changes after a session. So I can hose the guest OS (virtual machine) without consequence or having to redo it to test more exploits.
--
Open Source -> Closed Minded.Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
Dustyn
Premium
join:2003-02-26
Ontario, CAN
2 edits | Anything like Me/XP System Restore?
Or way more advanced?
PRIMARY BROWSER: Microsoft Internet Explorer 6.0
UPDATE VERSIONS: SP2; with current updates!
SECONDARY BROWSER: Firefox 1.5
I use Lavasoft AdAware, Spybot Search & Destroy, Microsoft Anti-Spyware, Spyware Blaster, IE-SPYAD2, and Spyware Block List. 
Do I trust my browser?
With a little help... |
|
SpannerITWks
Premium
join:2005-04-22
| reply to mysec
IE- Warning | 
Phish + AV Alert |
I went to the www 3 times 20 minutes ago to test it using IE locked down as usual. On each occasion i got a Phishing alert from GSH and a MS error message saying an error had occurred and IE needed to close down, which i OK'd. I cleared my Cache etc each time and repeated.
I tried again a few mins later and this time Antivir kicked in, but no IE error box ?
I just tried again and got all 3 alerts !
Maybe the site randomly changes what it tries to do ?
Anyway i live unscathed to be able to pass it on.
Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
Dustyn
Premium
join:2003-02-26
Ontario, CAN
1 edit | yuck.... illegal operations.... 
The descriptions are so vague too. |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
 ·Clearwire Wireless
| reply to mysec
Re: Do You Trust Your Own Knowledge...
That's a loaded question if I ever saw one!
"Do You Trust Your Browser..."
Yes, I do trust my browser.
Would I trust someone else's browser?
Not on your life!
I'm not sitting on a private build, just the usual ones locked down to the best of my ability. I trust myself to make my browser as safe it can be. So the truth is I do trust my browser.
Keeping my browser safe is just a matter of keeping it updated, using different security levels for different zones, firewalling etc... (feel free to add to this abbreviated list). |
|
mysec
Premium
join:2005-11-29
| reply to SpannerITWks
Re: Do You Trust Your Browser...
The AntiVir message recognizes the signature of the .ani file as 'Exploit.MS05-002.Ani.A' which is a reference to the MS bulletin MS05-002 that describes the animated cursor exploit.
»www.microsoft.com/technet/securi···002.mspx
By blocking the caching of this file, the trojan file, Win32.exe, can't download. |
|
mysec
Premium
join:2005-11-29
| reply to SnowyOne
Re: Do You Trust Your Own Knowledge...
said by SnowyOne :Keeping my browser safe is just a matter of keeping it updated, using different security levels for different zones, firewalling etc... (feel free to add to this abbreviated list). With no update yet available for the latest vulnerability, do you feel that you have something else in place that would catch it should it get by your browser? (Assuming IE - apologies if not) |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| said by mysec :With no update yet available for the latest vulnerability, do you feel that you have something else in place that would catch it should it get by your browser? (Assuming IE - apologies if not) IE is a fair example.
From the link provided »www.rsjones.net/exploit
"The exploit seems not to work on WinXP SP2, or if IE is patched
To test, IE6 unpatched running on Win2k SP4 was used"
Keeping the browser updated seems to effective, unless I'm missing something? |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to mysec
Re: Do You Trust Your Browser...
Hmmm...the icon link that you get when you go there via Fx, if you drop it on IE, if open on the taskbar, it stops you from using prompt on active scripting in IE at that site. It loads the blank frames one by one even as you deny active scripting. If I go there on IE, XPPro SP1a, as admin with active scripting set at prompt, if I deny it, the frames don't load, but they do after dropping the icon link onto IE even when denying.
When I go there with active scripting set to enable, I get the frames loaded and the error message in the status bar. Nothing else happens. Do I have to uninstall a particular patch for XP Pro SP1a to get the exploit to work? (I'm using a guest machine and took a snapshot before I went there so if I get nasties on here, I'll just revert to the last (or earlier) snapshot). Plus, I'd like to see what KIS 2006 would do. So besides going there as admin do I have to go with no patches at all or is there a specific patch that protects?
Why is there an icon link when you go there via Fx but isn't via IE?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to mysec
I trust my browser (IE6 SP2) to operate within the constraints I have imposed upon it. I visit a lot of nefarious sites (certainly more than the average user) in the maintenance of the hosts file I publish and so it seems to be working.
--
Get hpHOSTS! Member ASAP
The Bush Era is over. The Bush Error is not. |
|
mysec
Premium
join:2005-11-29
| reply to SnowyOne
Re: Do You Trust Your Own Knowledge...
said by SnowyOne :Keeping the browser updated seems to effective, unless I'm missing something? I was referring to the latest exploit:
»www.microsoft.com/technet/securi···302.mspx
as referenced here:
»www.websensesecuritylabs.com/ale···rtID=364 |
|
mysec
Premium
join:2005-11-29
1 edit | reply to Mele20
Re: Do You Trust Your Browser...
said by Mele20 :So besides going there as admin do I have to go with no patches at all or is there a specific patch that protects? If you look at the old bulletin you might be able to figure out what patches you have or don't have:
»www.microsoft.com/technet/securi···002.mspx
quote:
It loads the blank frames one by one even as you deny active scripting.
It was explained to me that the frames load from the iframe code, not via a script:
iframe src="./exp_4/index.htm" width=40 height=40> iframe>
quote:
Why is there an icon link when you go there via Fx but isn't via IE?
I don't know. There is no icon link when using Opera, IIRC. |
|
slajoh01
join:2005-04-23
| No OS or Browser can be 100 percent secure..No way in shape or form..
You can harden it either IE, Opera, Firefox or whatever by disalbing Active X (in IE) and scripting...For firefox users, just uncheck the Install Software Atuomatically or something under Web Events..I dont know..I forgot the names..
If your really paranoid...I would recommend a TEXT-BASED Browser such as LYNX... |
|
mozilla user
@rr.com | reply to mysec
I trust my browser, why wouldn't I?? I have never had spyware or any type of problem. I run as Admin.behind a router using Windows firewall.
Nothing is a 100% secure, but I don't have to lock down my browser or system to surf.. |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to mysec
Re: Do You Trust Your Own Knowledge...
Hmmm... Interesting that you should mention that. When it was first reported I downloaded the poc files and confirmed that the exploit works. Since then I have reinstalled windows (XP SP2) and as far as I can tell my security setup does not differ from the previous policy but those poc pages which I downloaded no longer work. At the moment I have no idea why but the payload (calc.exe) never runs. IE does not hang or become unstable either.
--
Get hpHOSTS! Member ASAP
The Bush Era is over. The Bush Error is not. |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
| reply to mysec
Here's the Microsoft workaround. “Set Internet and Local intranet security zone settings to ‘High’ to prompt before running Active Scripting in these zones”.
My IE was already configured that way so it wasn't affected by this exploit. |
|
