Zero Day IE Exploit?

The signature update came not a second too early! Websese tell about a trojan than exploits full this IE hole. And now they are reporting over 200 infected websites.
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=452

"Attackers have begun spamming e-mail lures in an attempt to attract users to infected websites. These e-mail messages contain excerpts from actual BBC news stories and offer a link to "Read More". Users who follow this link are taken to a website that is a spoofed copy of the BBC news story from the e-mail. This website exploits the unpatched createTextRange vulnerability and is currently being used to download and install a keylogger. This keylogger monitors activity on various financial websites and uploads captured information back to the attacker."
And

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=451

"To date we have discovered more than 200 unique URL's that are using the vulnerability to run exploit code. The most common is the use of shellcode to run a Trojan Horse downloader that downloads additional payload code over HTTP. The additional payload has been various forms of BOT's, Spyware, Backdoors, and other Trojan Downloader's."

 

Yeah it's blocking the crash and detects a trojan. So now it's working

 

from http://www.nod32.com/about/press.htm#march31...

"ESET’s NOD32 has proactively identified multiple attacks against this vulnerability heuristically, and identifies them by name as “JS/Exploit.CVE-2006-1359 trojan” since the update version 1.1457 virus signatures."

 

This what we have discussed here about. If Nod32 was not detecting the code crashing IE so could it detect the exploits using this hole. And we never got a proper answer to this question.

 

agreed, if someone from Eset had commented on this issue then it may not have rambled on for 5 pages

 

Yeah, finally a signature for this. But anyway I still tink that was a test page and that's why it wasn't detected, because now NOD says JS/MBork.A trojan which is different from CVE....bla, bla.

Hope an ESET mod will wake up and tell us the truth behind the scene.

 

So what's this file that I’ have in quarantine on my pc. Is it related to the Zero Day IE Exploit? or something new


This is a report processed by VirusTotal on 04/01/2006 at 16:04:50 (CET) after scanning the file "TextRange_1_.htm" file.

Antivirus Version Update Result
AntiVir 6.34.0.14 04.01.2006 no virus found
Avast 4.6.695.0 04.01.2006 no virus found
AVG 386 03.31.2006 no virus found
Avira 6.34.0.54 04.01.2006 no virus found
BitDefender 7.2 04.01.2006 Exploit.HTML.CreateRange.Gen
CAT-QuickHeal 8.00 03.31.2006 no virus found
ClamAV devel-20060202 03.30.2006 Exploit.JS.CVE-2006-1359
DrWeb 4.33 04.01.2006 Exploit.CVE1359
eTrust-InoculateIT 23.71.117 04.01.2006 no virus found
eTrust-Vet 12.4.2145 03.31.2006 JS/VU876678!exploit
Ewido 3.5 04.01.2006 Not-A-Virus.Exploit.JS.CVE20061359.a
Fortinet 2.71.0.0 04.01.2006 HTML/CreateTxtRng.A!tr
F-Prot 3.16c 03.30.2006 JS/CVE-2006-1359.A@expl
Ikarus 0.2.59.0 04.01.2006 no virus found
Kaspersky 4.0.2.24 04.01.2006 Exploit.JS.CVE-2006-1359.a
McAfee 4731 03.31.2006 no virus found
NOD32v2 1.1466 03.31.2006 no virus found
Norman 5.70.10 03.31.2006 no virus found
Panda 9.0.0.4 04.01.2006 no virus found
Sophos 4.04.0 04.01.2006 no virus found
Symantec 8.0 04.01.2006 Bloodhound.Exploit.61
TheHacker 5.9.7.123 04.01.2006 no virus found
UNA 1.83 03.30.2006 no virus found
VBA32 3.10.5 03.31.2006 no virus found

 

Check your PM.

 

Most security sites I visit, and newsletters I subscribe to, advised people to stop using IE some time ago (even the US Dept. of Homeland Security got in on the act)!.

I already had my copy of IE 'locked down' ie: ActiveX and cross domain scripting disabled etc. and Windows Updates in the Trusted Zone, but decided to stop using it altogether nearly two years ago. I now use Opera with Firefox as backup and do not have any problems.

No doubt there are still some sites that will refuse to work with anything but IE, but I believe that most people would benefit from switching to an alternative, keeping IE only for such sites.

 

well, only about 0.5 % of the websites require IE from my experience.

 

And you can get around most of those by using the User Agent Switcher Extension. I prefer making my own user agents though (use Netscape 7.2's ua and you be least likely to experience plugin errors, if you use IE's ua, you'll get those).

 

So, switch browsers and stop worrying when, or if, your security apps will get a definition to deal with the latest killer exploit for IE.

After all, you know there will be another one along in the next few weeks (or months)!

 

If you're addressing me, I wasn't very worried about a definition to deal with the little jscript vulnerability and have been advocating that people not worry about a test page that can crash their IE browser. It's the nasties that enter via the hole that should be the main concern and I feel certain NOD32 protects against these as well or better than any product out there.

 

This is not the same exploit. The createtextrange exploit is different, and far more dangerous (and the vulnerability is unpatched as well). The createtextrange vulnerability does not simply "crash" the browser, it actually creates and runs trojans (a-la "wmf" exploit).

So PLEASE let's not mistake one for another. Crashing the browser is one thing, uploading trojans and running them is quite another.

Please look here for more info: http://blogs.securiteam.com/index.php/archives/369

 

Elwood,

Sorry if I gave the impression that I was addressing my comments to you personally.

The general point I was trying to make was that noone need concern themselves with IE's semi-permanent state of crisis, when using an alternative is so easy.

 

No problem, Togg. I agree with your sentiments.

 

happy news nod32 user save now from ie Exploit(i think)
because today update 1.1468 (20060403) has JS/Exploit.CVE-2006-1359 signature
coool

 

Bye bye TextRange[1].htm