Microsoft Security Advisory (961051)

ronjor · Dec 11, 2008

Published: December 10, 2008

Microsoft is investigating new public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.

At this time, we are aware only of limited attacks that attempt to use this vulnerability. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.
Click to expand...

Microsoft

Rmus · Dec 11, 2008

Bojan at ISC.SANS.ORG, has updated his analysis of this exploit:

0-day exploit for Internet Explorer in the wild
http://isc.sans.org/diary.html?storyid=5458

Note that it has followed the normal pattern of 0-day exploits, where, once the code becomes public, other malware authors package it with various exploits.

The .js file mentioned includes Flash, Real Player, the Office Snapshot Viewer exploits, as well as the IE7-XML exploit. A quick look reveals that all the exploits attempt to download a trojan binary executable file.

----
rich

ronjor · Dec 11, 2008

Microsoft Security Advisory 961051 Updated

This is Christopher Budd,

We’ve just posted a revision to Microsoft Security Advisory (961051) with the latest information from our ongoing work around this issue.

While the known attacks are only targeting Internet Explorer 7, we have found that the underlying vulnerability affects all currently supported versions of Internet Explorer. We have updated the advisory to include this information.

We’ve also added additional workarounds to the advisory and updated our guidance to recommend that you evaluate implementing two of the workarounds together for the most effective protection. Specifically, we’re recommending both setting the Internet zone security setting to High and using ACLs to disable Ole32db.dll. Our research so far has shown that these two steps together provide the most effective protections for this issue.
Click to expand...

Microsoft

Rmus · Dec 13, 2008

The revised security advisory states that supported versions of IE6 and Windows are "potentially vulnerable."

Related Software

Microsoft Internet Explorer 6
Microsoft Internet Explorer 6 Service Pack 1
...
Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Service Pack 3
...
Click to expand...

An updated ISC Diary echoes that:

IE7 0day expanded to include IE6 and IE8(beta) -- now others
http://isc.sans.org/diary.html?storyid=5470

I don't want to start a panic. We have not received any reports of attacks affecting these versions (yet.)
Click to expand...

Since several sites have listed some of the domains that are carrying the exploit, this can be tested.

I used IE6 on my Win2K system. For each site I tried, the page loaded but the exploit code did nothing -- nothing but the index page was cached.

*However* -- the domain that was reported in an earlier ISC Diary is a different story. You can see the results here:

http://www.urs2.net/rsj/computing/tests/ie-7

This domain is a good example of a packaged exploit - several exploits together looking for vulnerability somewhere - and is the first time I've seen the same payload triggered by different versions of IE in one place. If past trends hold true, we are likely to see more of this.

The ISC Diary also notes that SQL injection has been seen -- the method by which the URL for the exploit is put onto a web server page. No longer are just web sites in the back alleys of the internet affected - any site can be compromised if an SQL injection vulnerability exists. An update earlier today:

MSIE 0-day Spreading Via SQL Injection
http://isc.sans.org/diary.html?storyid=5464

As the IE7 exploit code is picked up by more malware authors, additional packaging of it with other exploits is likely to follow.

Protect Accordingly!

----
rich

EASTER · Dec 13, 2008

Microsoft Internet Explorer 6 Service Pack

Windows XP Service Pack 2

Really interesting read and yet another something potentiallly hazardous to be on guard against per IE browser's. Don't these guys ever stop?

I wonder since MS catelogs all these finds of exploits if they have a direct number or even an average per year per platform.

Rmus · Dec 13, 2008

EASTER said:

...and yet another something potentiallly hazardous to be on guard against per IE browser's. Don't these guys ever stop?
Click to expand...

No, they will never stop as long as unprotected systems peruse the internet.

It's really nothing to get overly excited about - all of these browser (and plugins) exploits do the same thing: attempt to sneak in a trojan - and are easily prevented, as you know from discussions in other forums!

The task at hand is for experienced people like you and other regulars at Wilders to make uninformed users aware of how to protect their system!

Take one at a time...

----
rich

Log in or Sign up

Microsoft Security Advisory (961051)

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

EASTER Registered Member

Rmus Exploit Analyst

Log in or Sign up

Microsoft Security Advisory (961051)

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

EASTER Registered Member

Rmus Exploit Analyst

Useful Searches