Broadband Tech > Security > Security > MSIE Zero-Day exploit in use on the Web

MSIE Zero-Day exploit in use on the Web

Thanx 4 the heads up !

Notice that once again this is exploited via having Active Scripting enabled !!!

We don't need it MS + web designers + web masters, get rid of it ASAP, as there are other much safer ways of achieving things in web pages.

-

There's also this one from a few days ago, this time ActiveX -

Internet Explorer daxctle.ocx "KeyFrame()" Method Vulnerability

»secunia.com/advisories/21910/

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

FYI...

- »www.symantec.com/enterprise/secu···loi.html
September 19, 2006
"...We have confirmed that this exploit takes advantage of a bug in VML (Vector Markup Language, which is an XML language used to produce vector graphics) to overflow a buffer and inject shell code. The exploit then downloads and installs multiple Security Risks, such as spyware, on the compromised machine... Although Microsoft has already been informed, at the time of writing there is no patch available for this particular exploit. Mitigating strategies include disabling JavaScript in Internet Explorer and using non-vulnerable browsers..."
> »www.symantec.com/enterprise/secu···-1801-99

.

reply to AplusWebMaster
Interesting how many of these 0-day exploits appear just after Patch Tuesday, it's almost like the Bad Guys are exploiting Microsoft's scheduled updates.

reply to AplusWebMaster
I see that MS will most likely not patch this until Oct. 10 (although they "may" issue an out-of-cycle patch). I guess this isn't as important as fixing the breaking of their DRM code.

Personally, I feel that it is just wrong to wait for a specific day to release a patch when exploit code is already out for the flaw. Yes, I have heard the argument that enterprises want a predictable patch-release cycle (although companies seem to have functioned just fine back when MS released patches once they were ready), but what about the rest of us? And, even in the case of big corporations, wouldn't they prefer security over an arbitrary patch cycle? If I were a corporate IT guy, I know that I sure would! Am I the only one who thinks this way?

reply to AplusWebMaster
y'all beat me to the punch.. there are "workarounds" in the "suggested actions" section of the microsoft advisory..

i "unregistered" "vgx.dll" in accord with one of the "suggested actions"/"workarounds"..

»www.microsoft.com/technet/securi···568.mspx

»www.kb.cert.org/vuls/id/416092

reply to AplusWebMaster
Re - Microsoft Internet Explorer Vector Markup Language Exploit

UPDATE 2 the eweek article

-

Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole

The newest zero-day flaw in the Microsoft Windows implementation of the Vector Markup Language is being used to flood infected machines with a massive collection of bots, Trojan downloaders, spyware and rootkits.

etc -

»www.eweek.com/article2/0,1895,2017620,00.asp

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

reply to AplusWebMaster
Its scary that things like this have become so common that when I read the subject the first thing I thought was "what else is new."
--
Give a man a fish and he eats for a day, teach a man to fish and he will feed himself for a lifetime

reply to AplusWebMaster
FYI...

- »www.websense.com/securitylabs/bl···logID=81
Sep 20 2006
"The recently reported VML Internet Explorer "zero-day" exploit now has attack code publicly posted on the web. Although the first version results in a denial of service and not escalated privileges, we expect to see public posts of exploit code that does allows a user to run code without user-interaction. This may result in increased attacks based on the fact that there are no patches available and often "copy-cat" attacks that simply cut and paste P.O.C. code often occur after public release."

.

reply to AplusWebMaster
Having read that IE7 is not vulnerable to this exploit, I installed the RC1 version this morning. So far, the only problem I have noted is that web page text was blurry, but my desktop remained razor-sharp. Doing some searching, I found that MS has turned on their Clear Type feature in IE7. Going into "Tools", then "Internet Options", then "Advanced", then "Multimedia" leads to the option to use Clear Type, which is checked by default. Un-checking that and restarting IE has eliminated the eyestrain. Why did MS do this without telling us???

I also see that the operator interface is considerably changed from that of IE6. I don't know if there is a way to go back to the old view; if there isn't, I suppose that I will get used to the new way in time. It would have been nice if they had kept the interface consistent with Windows Explorer, though.

The next step is to see how many of the websites that I normally visit work properly with IE7. Time will tell!

There have been numerous discussions about MS turning on Clear Type in IE7. You missed tehm because you just started using it and haven't been following the discussions. MS turned it on because CRTs are no longer the majority of monitors and most folks buying a monitor today buy LCD and those require Clear Type. I just wish that MS had turned Clear Type on in XP. I had a horrible time when I got a new computer in Nov 2003 and got my first flat panel digital LCD monitor and it was horrible. I couldn't read anything. I didn't know about Clear Type as I was new to XP and had no idea there was a solution but it wasn't on by default! It should have been as even in 2003, I would not have purchased another CRT.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.ie7.com/

reply to redwolfe_98

reply to Mele20
OK, I understand that a lot of LCD monitors are out there, but I'll bet that there are many CRT's still in use. The strange part about MS's decision to use Clear Type in IE7 is that text other than webpages does not use CT by default (even the taskbar area at the top of IE7 doesn't use it). So, you would have a situation of some text being displayed in CT and some not, unless you manually turned on CT for everything.

I think that a better approach would be for MS to ask you what sort of monitor you have during the IE7 install process, and then have the program decide whether to turn on CT or not. Also, if MS is going to turn on CT, they should alert you to the need to use the Clear Type Tuner utility in order to set up CT properly. In my case, at least, I saw no messages telling me that I should use CTT.

So far, my alternative browser experience has not been entirely seamless. IE7 (RC1) has apparently not been accepted by all of the websites that I usually access; foxnews.com has been especially unforgiving when I try to play some of their streaming videos. Firefox also appears to have some issues with Fox News, but at least it will let me play the videos (but it will not allow me to select my connection speed). Opera works fine with Fox News, but I can't get some features in my Hotmail account with this browser. And, it will still be necessary to go back to IE in order to get my Windows updates. It would be wonderful if everything adhered to recognized standards, so that any webpage would display properly using any browser. Too much to hope for, it would seem!

reply to AplusWebMaster
I am seeing a large amount of calls today from people whose IE browser opens, then immediately closes. They can surf fine with another Browser. Could this be related to that?

Hob
--
"A foolish consistency is the hobgoblin of little minds." - Ralph Waldo Emerson

reply to SpannerITWks

reply to AplusWebMaster
Breaking news- a security response team has issued an emergency patch, along with a test to see if you are vulnerable. Go to:

»www.eweek.com/article2/0,1895,20···2206EOAD

Thanks dave. I'll be testing the patch almost immediately.
--
"The Internet? Is that still around?" - Homer

reply to AplusWebMaster
astirusty

Not quite sure what you mean ? the exploits are still occurring + All that stuff is being pushed out there !

daveinpoway

Thanx 4 the info + link.

Didn't think i needed the patch, so i just tried the vuln test on - »isotf.org/zert/ - mentioned in your link, it's accessed via the Download link by the way in case some don't know, as it's not immediately apparent that's how you find it !

This is what i got -



Yep will do lol, Thanx, patch not required !

And that's after un renaming - VGX.DLL - as mentioned in here - »Eric Sites of Sunbelt on the VML exploit - and also enabling Active Scripting too !

Spanner

edit - extra info Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

Yes, IE7 (RC1) came up for me as not vulnerable. I was not about to go through the hassle of uninstalling IE7 and going back to IE6 to see if that would have been flagged or not.

I have read that people who use MS's security suite or some of Symantec's products are supposed to be protected against this exploit. Anyone know if other anti-malware companies (McAfee, AVG, Avast, Zone Labs, etc.) have also come out with protections against this bad thing? I have also read that up to 10,000 websites could potentially be sending out the attack code to vulnerable PC's by Monday, but that may turn out to be way too high a number (hopefully so, as I can see this situation spreading out of control if users can get infected through that many sites).

reply to SpannerITWks