dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6501

AplusWebMaster
@comcast.net

AplusWebMaster

Anon

MSIE Zero-Day exploit in use on the Web

FYI...

- »www.eweek.com/article2/0 ··· K0000614
September 18, 2006
"Security researchers at Sunbelt Software have discovered an active malware attack against fully patched versions of Microsoft's Internet Explorer browser. The exploit has been seeded at several porn sites hosted in Russia and is being used to launch drive-by malware downloads that appear to be hijacking Windows machines for use in botnets. eWEEK has confirmed the flaw—and zero-day attacks—and on a fully patched version of Windows XP SP2 running IE 6.0. There are at least three different sites hosting the malicious executables, which are being served up on a rotational basis. According to Eric Sites, vice president of research and development at Florida-based Sunbelt Software, the vulnerability is a buffer overflow in the way the world's most widely used browser handles VML (Vector Markup Language) code. The attack is linked to the WebAttacker, a do-it-yourself malware installation toolkit that is sold at multiple underground Web sites. "Once you click on the site, the exploit opens a denial-of-service box and starts installing spyware," Sites said. He said the exploit can be mitigated by turning off JavaScript in the browser..."
- »sunbeltblog.blogspot.com ··· ing.html

- »secunia.com/advisories/21989/
Release Date: 2006-09-19
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
...Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, this is currently being exploited in the wild.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution:
Do not visit untrusted web sites.
Deactivating Active Scripting will prevent exploitation using the currently known exploit..."

- »blog.washingtonpost.com/ ··· pel.html
September 18, 2006; 10:25 PM ET
"...If past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage... Among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user. The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff..."

.

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Thanx 4 the heads up !

Notice that once again this is exploited via having Active Scripting enabled !!!

We don't need it MS + web designers + web masters, get rid of it ASAP, as there are other much safer ways of achieving things in web pages.

-

There's also this one from a few days ago, this time ActiveX -

Internet Explorer daxctle.ocx "KeyFrame()" Method Vulnerability

»secunia.com/advisories/21910/

Spanner

AplusWebMaster
@comcast.net

AplusWebMaster

Anon

FYI...

- »www.symantec.com/enterpr ··· loi.html
September 19, 2006
"...We have confirmed that this exploit takes advantage of a bug in VML (Vector Markup Language, which is an XML language used to produce vector graphics) to overflow a buffer and inject shell code. The exploit then downloads and installs multiple Security Risks, such as spyware, on the compromised machine... Although Microsoft has already been informed, at the time of writing there is no patch available for this particular exploit. Mitigating strategies include disabling JavaScript in Internet Explorer and using non-vulnerable browsers..."
> »www.symantec.com/enterpr ··· -1801-99

.

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf to AplusWebMaster

Premium Member

to AplusWebMaster
Interesting how many of these 0-day exploits appear just after Patch Tuesday, it's almost like the Bad Guys are exploiting Microsoft's scheduled updates.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to AplusWebMaster

Premium Member

to AplusWebMaster
I see that MS will most likely not patch this until Oct. 10 (although they "may" issue an out-of-cycle patch). I guess this isn't as important as fixing the breaking of their DRM code.

Personally, I feel that it is just wrong to wait for a specific day to release a patch when exploit code is already out for the flaw. Yes, I have heard the argument that enterprises want a predictable patch-release cycle (although companies seem to have functioned just fine back when MS released patches once they were ready), but what about the rest of us? And, even in the case of big corporations, wouldn't they prefer security over an arbitrary patch cycle? If I were a corporate IT guy, I know that I sure would! Am I the only one who thinks this way?
redwolfe_98
Premium Member
join:2001-06-11

1 edit

redwolfe_98 to AplusWebMaster

Premium Member

to AplusWebMaster
y'all beat me to the punch.. there are "workarounds" in the "suggested actions" section of the microsoft advisory..

i "unregistered" "vgx.dll" in accord with one of the "suggested actions"/"workarounds"..

»www.microsoft.com/techne ··· 568.mspx

»www.kb.cert.org/vuls/id/416092

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks to AplusWebMaster

Premium Member

to AplusWebMaster
Re - Microsoft Internet Explorer Vector Markup Language Exploit

UPDATE 2 the eweek article

-

Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole

The newest zero-day flaw in the Microsoft Windows implementation of the Vector Markup Language is being used to flood infected machines with a massive collection of bots, Trojan downloaders, spyware and rootkits.

etc -

»www.eweek.com/article2/0 ··· 0,00.asp

Spanner

Zaber
When all are gone, there shall be none
join:2000-06-08
Cleveland, OH

Zaber to AplusWebMaster

Member

to AplusWebMaster
Its scary that things like this have become so common that when I read the subject the first thing I thought was "what else is new."

AplusWebMaster
@comcast.net

AplusWebMaster to AplusWebMaster

Anon

to AplusWebMaster
FYI...

- »www.websense.com/securit ··· logID=81
Sep 20 2006
"The recently reported VML Internet Explorer "zero-day" exploit now has attack code publicly posted on the web. Although the first version results in a denial of service and not escalated privileges, we expect to see public posts of exploit code that does allows a user to run code without user-interaction. This may result in increased attacks based on the fact that there are no patches available and often "copy-cat" attacks that simply cut and paste P.O.C. code often occur after public release."

.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to AplusWebMaster

Premium Member

to AplusWebMaster
Having read that IE7 is not vulnerable to this exploit, I installed the RC1 version this morning. So far, the only problem I have noted is that web page text was blurry, but my desktop remained razor-sharp. Doing some searching, I found that MS has turned on their Clear Type feature in IE7. Going into "Tools", then "Internet Options", then "Advanced", then "Multimedia" leads to the option to use Clear Type, which is checked by default. Un-checking that and restarting IE has eliminated the eyestrain. Why did MS do this without telling us???

I also see that the operator interface is considerably changed from that of IE6. I don't know if there is a way to go back to the old view; if there isn't, I suppose that I will get used to the new way in time. It would have been nice if they had kept the interface consistent with Windows Explorer, though.

The next step is to see how many of the websites that I normally visit work properly with IE7. Time will tell!
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

There have been numerous discussions about MS turning on Clear Type in IE7. You missed tehm because you just started using it and haven't been following the discussions. MS turned it on because CRTs are no longer the majority of monitors and most folks buying a monitor today buy LCD and those require Clear Type. I just wish that MS had turned Clear Type on in XP. I had a horrible time when I got a new computer in Nov 2003 and got my first flat panel digital LCD monitor and it was horrible. I couldn't read anything. I didn't know about Clear Type as I was new to XP and had no idea there was a solution but it wasn't on by default! It should have been as even in 2003, I would not have purchased another CRT.

altermatt
Premium Member
join:2004-01-22
White Plains, NY

altermatt to redwolfe_98

Premium Member

to redwolfe_98
said by redwolfe_98:

there are "workarounds" in the "suggested actions" section of the microsoft advisory..
As of today, MS has confirmed they will not patch this until Oct. 10 (?), so here's the workaround:

"... individual Windows users can protect themselves against the flaw by deregistering vgx.dll. This DLL file is used by IE to render images that are based on Vector Markup Language (VML).

Microsoft recommends that users click Start, Run, paste the following line into the input box, and click OK:

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

After Microsoft releases a patch for the problem, you can easily reregister the DLL by repeating the procedure without the -u switch:

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

While the workaround is in effect, Web sites that use VML won't display such images properly. Since some sites are already using the flaw to infect PCs, however, it's safer to use the workaround even if some sites temporarily look different.

The above fix works on Windows XP and Server 2003, but the security hole also affects Windows 2000 SP4, according to Microsoft. For more information, see the Suggested Actions (Workarounds) section of MS bulletin 925568.

The VML hole is unrelated to an ActiveX vulnerability in IE that was first reported last week by the French Security Incident Response Team (FrSIRT). That flaw hasn't yet been seen in the wild. Workarounds to protect against it are described in FrSIRT advisory 3593 and Microsoft bulletin 925444."
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to Mele20

Premium Member

to Mele20
OK, I understand that a lot of LCD monitors are out there, but I'll bet that there are many CRT's still in use. The strange part about MS's decision to use Clear Type in IE7 is that text other than webpages does not use CT by default (even the taskbar area at the top of IE7 doesn't use it). So, you would have a situation of some text being displayed in CT and some not, unless you manually turned on CT for everything.

I think that a better approach would be for MS to ask you what sort of monitor you have during the IE7 install process, and then have the program decide whether to turn on CT or not. Also, if MS is going to turn on CT, they should alert you to the need to use the Clear Type Tuner utility in order to set up CT properly. In my case, at least, I saw no messages telling me that I should use CTT.

So far, my alternative browser experience has not been entirely seamless. IE7 (RC1) has apparently not been accepted by all of the websites that I usually access; foxnews.com has been especially unforgiving when I try to play some of their streaming videos. Firefox also appears to have some issues with Fox News, but at least it will let me play the videos (but it will not allow me to select my connection speed). Opera works fine with Fox News, but I can't get some features in my Hotmail account with this browser. And, it will still be necessary to go back to IE in order to get my Windows updates. It would be wonderful if everything adhered to recognized standards, so that any webpage would display properly using any browser. Too much to hope for, it would seem!

hobgoblin
Sortof Agoblin
Premium Member
join:2001-11-25
Orchard Park, NY

hobgoblin to AplusWebMaster

Premium Member

to AplusWebMaster
I am seeing a large amount of calls today from people whose IE browser opens, then immediately closes. They can surf fine with another Browser. Could this be related to that?

Hob
astirusty
Premium Member
join:2000-12-23
Henderson, NV

astirusty to SpannerITWks

Premium Member

to SpannerITWks
said by SpannerITWks:

Re - Microsoft Internet Explorer Vector Markup Language Exploit UPDATE 2 the eweek article
Given the exploit is now four days old.
Any ideas on how we could tie the VML exploit to MS's DRM implementations?
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to AplusWebMaster

Premium Member

to AplusWebMaster
Breaking news- a security response team has issued an emergency patch, along with a test to see if you are vulnerable. Go to:

»www.eweek.com/article2/0 ··· 2206EOAD

Rocky67
Pencil Neck Geek
Premium Member
join:2005-01-13
Orange, CA

Rocky67

Premium Member

Thanks dave. I'll be testing the patch almost immediately.

SpannerITWks
Premium Member
join:2005-04-22

1 edit

SpannerITWks to AplusWebMaster

Premium Member

to AplusWebMaster
astirusty

Not quite sure what you mean ? the exploits are still occurring + All that stuff is being pushed out there !

daveinpoway

Thanx 4 the info + link.

Didn't think i needed the patch, so i just tried the vuln test on - »isotf.org/zert/ - mentioned in your link, it's accessed via the Download link by the way in case some don't know, as it's not immediately apparent that's how you find it !

This is what i got -



Yep will do lol, Thanx, patch not required !

And that's after un renaming - VGX.DLL - as mentioned in here - »Eric Sites of Sunbelt on the VML exploit - and also enabling Active Scripting too !

Spanner

edit - extra info Only
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway

Premium Member

Yes, IE7 (RC1) came up for me as not vulnerable. I was not about to go through the hassle of uninstalling IE7 and going back to IE6 to see if that would have been flagged or not.

I have read that people who use MS's security suite or some of Symantec's products are supposed to be protected against this exploit. Anyone know if other anti-malware companies (McAfee, AVG, Avast, Zone Labs, etc.) have also come out with protections against this bad thing? I have also read that up to 10,000 websites could potentially be sending out the attack code to vulnerable PC's by Monday, but that may turn out to be way too high a number (hopefully so, as I can see this situation spreading out of control if users can get infected through that many sites).

astirusty
Premium Member
join:2000-12-23
Henderson, NV

astirusty to SpannerITWks

Premium Member

to SpannerITWks
said by SpannerITWks:

astirusty Not quite sure what you mean ? the exploits are still ccurring + All that stuff is being pushed out there!
Ohhh, how we soon forget, remember it only took MS three days to create a patch when DRM ($$$) were involved! Now that it is the security of users ...

altermatt
Premium Member
join:2004-01-22
White Plains, NY

1 edit

altermatt to daveinpoway

Premium Member

to daveinpoway
said by daveinpoway:

Breaking news- a security response team has issued an emergency patch,
I don't understand. Since the "official" workaround is just typing one line in the run box, why would anyone go through the effort (and risk, such as it might be, though I trust these guys) of downloading a patch and installing it? If the workaround still left you vulnerable in a way the patch didn't, or was difficult to implement, I could understand. But this workaround isn't. One line and voila.

ALSO: I've been instructing people to unregister the .dll in an admin. account. Does anyone know if this definitely protects the user accounts as well? Or does it have to be repeated (and will it work?) in each user account?

SpannerITWks
Premium Member
join:2005-04-22

2 edits

SpannerITWks to AplusWebMaster

Premium Member

to AplusWebMaster
astirusty

Aha yes the " Magic " 3 day wonder, i didn't forget, just wasn't 100% sure what you were quoting me on, thanx !

-

** UPDATE ** looks like MS " may " go out of cycle again on this, just as for the WMF exploit !

-

A quick entry on the VML issue

- But like I said the good news here is that around 24-48 hours ago we began to see we have the possibility of going out of band here and we will keep you posted as we go.

»blogs.technet.com/msrc/a ··· 266.aspx

-

VML Candid Camera

Now that we are seeing VML exploits proliferate the Internet, we thought it would be fun to grab a video capture of what happens when a workstation visits an infected site. We did a similar video when the WMF zero-day was released and our workstation was instantly flooded with Spyware applications and pop-ups galore. It was an impressive sight and obvious that you had just visited an infected site.

So, we fired up our trusty video capture tools and pointed a VMWare workstation at a random site where our miners had recently discovered an iframe containing a VML exploit.

But...what's this? Nothing happened, or so it seemed.

etc -

http://www.websense.com/securitylabs/blog/blog.php?BlogID=82

-

Nice rundown in the Vid.

I went to the VML exploit www in the vid + as expected nothing happened, of course if you have Iframes disabled, along with other **** such as Active Scripting, then your sorted !

I noticed in the source the're using this guys - http://www.shawnolson.net/a/503/ - JavaScript function dynamic changer.

Also in there - http://www.google-analytics.com/ - and - http://ad.yieldmanager.com - as mentioned in here - http://www.benedelman.org/spyware/images/yahoo-apr06/3/log.html

-

Spanner

edit - extra info Only
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to daveinpoway

Premium Member

to daveinpoway
said by daveinpoway:

Breaking news- a security response team has issued an emergency patch, along with a test to see if you are vulnerable. Go to:

»www.eweek.com/article2/0 ··· 2206EOAD
It doesn't work on XP Pro SP2. I just tried both GUI and Command line and then did the test and IE crashes. I had IE and OE closed when I tried to apply the patch.
redwolfe_98
Premium Member
join:2001-06-11

2 edits

redwolfe_98 to altermatt

Premium Member

to altermatt
said by altermatt: Does anyone know if this definitely protects the user accounts as well? Or does it have to be repeated (and will it work?) in each user account?

it probably is the case where you can only apply the patch while logged in as an administrator, and i would imagine that "unregistering" the "VGX.dll" file would affect the computer as a whole..

if the "workaround" had to be applied to each user-account, i think that that would have been mentioned in the MS advisory..

»www.microsoft.com/techne ··· 568.mspx

Libra
Premium Member
join:2003-08-06
USA

Libra

Premium Member

If we unregister the vgx.dll in XP and MS makes an update to fix this on October 10 does anyone know are we suppose to install the update first and then re-register the .dll or vice versa?

Sincerely, Libra
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98

Premium Member

said by Libra:

does anyone know are we suppose to install the update first and then re-register the .dll or vice versa?
i would re-register the "vgx.dll" file and then reboot the computer before applying the MS-patch..
Libra
Premium Member
join:2003-08-06
USA

Libra

Premium Member

Thank you Redwolfe.
Sincerely, Libra

swhx7
Premium Member
join:2006-07-23
Elbonia

1 edit

swhx7 to altermatt

Premium Member

to altermatt
said by altermatt:

I don't understand. Since the "official" workaround is just typing one line in the run box, why would anyone go through the effort (and risk, such as it might be, though I trust these guys) of downloading a patch and installing it? If the workaround still left you vulnerable in a way the patch didn't, or was difficult to implement, I could understand. But this workaround isn't. One line and voila.
The ZERT people explain, "We unregister the vulnerable DLL, replace the vulnerable function and register vgxnew.dll as the handler for VML." So the advantage would be that it keeps VML working (assuming they fixed it right).

I agree, better not to risk a third party patch unless you are in need of IE *and* VML before patch Tuesday and can validate the patch.

On edit: On Windows 2000 SP4, attempt to rename the dll is obstructed by WFP. Use workarounds given on the MS page: »www.microsoft.com/techne ··· 568.mspx (unregister and set ACL).

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks to AplusWebMaster

Premium Member

to AplusWebMaster
Here's an idea that " might " work for those having problems with Renaming or Unregistering etc !

Make a copy of - vgx.dll - and save it somewhere, and make a note of the location it was in. Then use a Delete on Boot utility or something similar like - Unlocker - »ccollomb.free.fr/unlocker/ - which is very good + safe + Free. Then select the existing - vgx.dll - and try to delete it.

When MS get round to fixing it, just drop the copy of - vgx.dll - back in place.

Let us know if it's removed successfuly or not.

-

Web hosting firm suffers VML exploit

Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages.

etc -

http://news.netcraft.com/archives/2006/09/22/hacked_hostgator_sites_distribute_ie_exploit.html

Spanner

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

1 recommendation

Sparrow to altermatt

Premium Member

to altermatt
said by altermatt:
said by daveinpoway:

Breaking news- a security response team has issued an emergency patch,
I don't understand. Since the "official" workaround is just typing one line in the run box, why would anyone go through the effort (and risk, such as it might be, though I trust these guys) of downloading a patch and installing it? If the workaround still left you vulnerable in a way the patch didn't, or was difficult to implement, I could understand. But this workaround isn't. One line and voila. [...snip...
Perhaps because some people like to complicate their lives?

Unregistering the .dll works fine and have already implemented this at work, home and in e-mails to friends.

Thank you for the fix, altermatt See Profile, and repeating it here for those who may have missed it:
said by altermatt:

As of today, MS has confirmed they will not patch this until Oct. 10 (?), so here's the workaround:

"... individual Windows users can protect themselves against the flaw by deregistering vgx.dll. This DLL file is used by IE to render images that are based on Vector Markup Language (VML).

Microsoft recommends that users click Start, Run, paste the following line into the input box, and click OK:

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

After Microsoft releases a patch for the problem, you can easily reregister the DLL by repeating the procedure without the -u switch:

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll


While the workaround is in effect, Web sites that use VML won't display such images properly. Since some sites are already using the flaw to infect PCs, however, it's safer to use the workaround even if some sites temporarily look different.

The above fix works on Windows XP and Server 2003, but the security hole also affects Windows 2000 SP4, according to Microsoft. For more information, see the Suggested Actions (Workarounds) section of MS bulletin 925568.

The VML hole is unrelated to an ActiveX vulnerability in IE that was first reported last week by the French Security Incident Response Team (FrSIRT). That flaw hasn't yet been seen in the wild. Workarounds to protect against it are described in FrSIRT advisory 3593 and Microsoft bulletin 925444."