ALERT: Internet Explorer Vulnerability

Discussion in 'other security issues & news' started by Paul Wilders, Sep 8, 2003.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    A severe vulnerability has been discovered. All IE users are recommended to read this article and can perform a vulnerability test over here:

    http://www.secunia.com/MS03-032/

    regards.

    paul
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    And because of that I understand this one is still getting through



    VSantivirus no. 1158 Year 7, Monday 8 of September of 2003

    Troj/JunkSurf.A. It infects with single seeing a HTML
    http://www.vsantivirus.com/junksurf-a.htm

    Name: Troj/JunkSurf.A
    Type: Trojan horse
    Alias: Win32.JunkSurf, Download.Aduent.Trojan, Downloader-ED, TROJ_JUNKSURF.A, VBS_JUNKSURF.A, TrojanDownloader.Win32.Small.aq, Win32/JunkSurf.A.Trojan, Win32/JunkSurf.A, Trojan.Aduent, Troj/JSurf-A, Adware-Surfbar
    Date: 5/set/03
    Platform: Windows 32-bit
    Sizes: 6,657 bytes(exe), 508,000 bytes(dll), 1.536 bytes, 932 bytes

    This Trojan horse uses itself the vulnerability deciphers in the bulletin of security Ms03-032 de Microsoft:
    Vulnerability of object labels

    Internet Explorer cannot correctly determine a type of object that gives back of a Web server an attacker could use this soft spot to execute arbitrary code in the system of a user.

    If a usuary one visits the Web site of the attacker, this one could with no need take advantage of this vulnerability no other intervention from the user. An attacker also could design a message of electronic mail in format HTML to take advantage of this vulnerability.

    More information:

    Ms03-032 cumulative Update for IE (822925)
    http://www.vsantivirus.com/vulms03-032.htm
     
    Last edited by a moderator: Apr 11, 2004
  3. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Paul - can you please explain the following para. on the Secunia website .... What kind of web page? o_O Am not too bright today. :(

    WARNING:
    If you are vulnerable, the Secunia website will execute Internet Explorer on your system and load a new web page.
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743

    It will then load this page...


    http://www.secunia.com/MS03-032/TEST_OBJECT/test.html
     
    Last edited by a moderator: Apr 11, 2004
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Ah, no wonder it didn't work when I tested at that site... That link is attempting to use HTA to bring up the IE session. It looks like this is an additional reason for people to use the HTAstop utility or script control applications.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Correct, John ;)

    Just another reason to be very careful using ActiveX, consider an IE replacement and a safe email client ;)

    regards.

    paul
     
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Thanks for the update, will these HACKtiveX exploits never end?
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That's funny! :D

    regards.

    paul
     
    Last edited by a moderator: Apr 11, 2004
  9. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I've been calling it that since the early days of IE with Win95 since their proprietary applets have been the source of many security exploits ;)

    If they didn't use HacktiveX, vbscripting, and even making new kinds of executables like .hta based on IE there wouldn't be as many exploits as there are today.
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
     
  11. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    In our company (2500 clients) we disabled ActiveX for the internet sites zone in IE. You don't want to know how many professionally used sites use ActiveX. We've got to move those addresses to the trusted sites zone in IE. That's a lot of work...

    I plan to make a black list :mad: :mad: :mad:
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Andre,

    Nice - post them in a new thread, and keep it up to date! :D

    regards.

    paul
     
  13. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi John,

    Nope, nothing to do : it does not use a *.hta but a*.exe ;)
    Mabybe the test server was down or overcrowed when you perform the test : first time I ran it it also failed.

    The only way to prevent is by unactivating activeX in Internet zone. (or at least ask before execution to get a warning)

    Nevertheless, it a good thing to use htastop ;)

    Rgds
     
    Last edited by a moderator: Apr 11, 2004
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hey Jack,

    Actually, I posted that, not John. ;) It does appear that HTA is used within the test itself... But, I never said the exploit was HTA related. All I said was:

    You see, the test didn't work for me even though I knew my system should be vulnerable to it once I had allowed all the IE functions. It wasn't until I checked John's link and realized that it used HTA that I understood. I used HTAstop to re-enable HTA on my system, and then I was able to get the exploit window to come up. (Well, I also had to disable TTT, of course.)

    The test uses this link to demonstrate if your system is vulnerable to the exploit:
    http://www.secunia.com/MS03-032/TEST_OBJECT/test.html It comes from the exploit portion of the test page:

    Code:
    <xml id="oExec">
    <security>
    <exploit>
    <![CDATA[
    <object data=http://www.secunia.com/MS03-032/TEST_OBJECT/test.html width=0 height=0>
    ]]>
    </exploit>
    </security>
    </xml>
    When I click on the link, it tries to execute "test.hta". If I right-click on the link and do a Save As... it calls up a download dialog box to save test.hta on my system. That's what I was talking about.

    Now as far as the exploit itself goes, yes, I noticed the ActiveX use. In fact, I had to set ActiveX to prompt in the first place to even have the test happen. ;)

    This is the code in the HTA file which is actually responsible for the newly created IE window that the test shows because a person's system was vulnerable to the original exploit...

    Code:
    <html><object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
    <script>
    wsh.Run("iexplore.exe \"http://www.secunia.com/MS03-032/VULNERABLE/?ID=0JN5lpFVhCJQHgtYKxldoOMto2tsInTW9ut\"");
    </script></html>
    I imagine they are using HTA because it's an easy way to run a script locally on a person's PC. Such a script can call up the new IE window to display the test results. Oh, interestingly enough, the "ID" field is unique for every test run. Perhaps they are using that to log the number of unique systems that come through to their webserver. :doubt:
     
  15. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi LowWaterMark,

    So sorry for the missunderstanding ;)

    I came to the same conclusions as you did, I have activeX on prompt an use htastop too :-D

    Bu my so and so English let me understand that your post said that preventing hta execution prevented the failure in IE.

    So sorry, I am trying hard improving my English : some more years needed :-D

    Best regards,
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Not problem at all Jack. ;)

    Actually, I love digging into these kinds of things. Up until now I hadn't seen a real world case where HTA was run locally, without warning, based upon a web based link. (Of course, it needed ActiveX to fire it up, but still, it is interesting.)
     
  17. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    I don't know that much about computing yet. What is Active X ?? I'm on Win XP Home. How do I disable it ?
     
  18. Rickster

    Rickster Guest

    Hi Joe:

    Start Menu > Control Panel > Internet Options > Click Security Tab > Select Custom Level. The first seven options pertain to Active X > Disable those you wish. (I disable all of them in the Internet Zone, but enable all in the trusted zone). When finished click OK and you'll be prompted if you really want to change the settings - click yes or OK. If you're already on-line in IE you can simply click Tools > Internet Options and you'll get to the same place to change your options.

    Regards, Rick
     
  19. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Rick, before I disable these ... what is Active X used for ?
     
  20. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Bad things in general :)
     
    Last edited by a moderator: Apr 11, 2004
  21. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Done. I feel better already !

    Thanks for the info Rick.
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    ActiveX: for how much longer?

    Joe,

    ActiveX is used to run programs inside the IE browser.
    ActiveX controls being executed on the users computer means that these programs can be exploited (abusing the ActiveX technology) by other malicious programs with a potentially destructive role.
    For some websites to work properly you have to enable ActiveX. To do so you could add the sites where you want them to run to your trusted Sites, after disabling ActiveX for the Internet Zone.
    Here are a few means to protect yourself from known abuse of ActiveX:
    IE-Spyad
    SpywareBlaster

    HTH,

    Pieter
     
  23. Joe Wood

    Joe Wood Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    26
    Location:
    San Diego
    Man! am I glad I found this site ! I'm a fairly new computerer, and I've been getting a little paranoid in the last few months ! I've already installed the Spyware Blaster.
    Say, how will I know if a website needs the ActiveX enabled ??
    I'm on Win XP Home. I have Norton Internet Sec., and I'm behind a Router/Firewall. I also have the Spybot Search and Destroy.

    What else should I do, or have, to be a little safer ??

    ~ Joe www.woodsshop.com/
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Joe,

    If a website needs ActiveX to work you will get a warning that the page can not be displayed properly.

    If you really need it to work and you trust the site, then you can add it to your trusted sites.

    A good place to start reading is here: http://www.wilders.org/
    Just follow the lead from there.
    If you have any questions, you know where to find us. ;)

    Regards,

    Pieter
     
    Last edited by a moderator: Apr 11, 2004
  25. Rickster

    Rickster Guest

    Hi Joe: There was a day when all you could do is just view a page on the web, now scripting and Active X make these pages interactive, like dancing balloons, nifty sparklers with ads and all that good (but exploitable) stuff. It’s typically necessary for playing games on the web, so you can interact with them. I often get the prompt Peiter mentioned and just click OK. Never had trouble viewing the page anyway to view the info I want, so if I miss a dancing balloon, in light of these risks it’s fine by me. I also disable File Downloads, that way if I hit tricked link, it won’t be able to download the first place. If I expect to download something I’m only a couple of clicks away from enabling it.

    Over time you get a feel for what sites to put in your trusted zone. Since my regular zone is so restricted when I search around, if a site can’t give me want I want unless I expose these vulnerabilities, I just move to another source that can. Follow the links and other good advice these guys offer. I’ve never bad a single exploit/virus/trojan as a result. Among other things, don’t forget to follow good e-mail protocol, since e-mail represents the most prolific threat of all today (just be sure to view mail in plain text and be ultra leery of attachments). Anyway, gaining control of these security settings puts you far ahead of the game and most added security programs too. Later, Rick.
     
Loading...
Thread Status:
Not open for further replies.