Infocon Yellow: IE exploits on the loose

Discussion in 'NZ Computing' started by Mark Robinson, Mar 24, 2006.

  1. http://isc.sans.org/diary.php


    IE exploit on the loose, going to yellow (NEW)
    Published: 2006-03-24,
    Last Updated: 2006-03-24 04:01:25 UTC by Jim Clausing (Version: 1)

    Folks, as Lorna predicted yesterday, it didn't take long for the exploits to
    appear for that IE vulnerability. One has been making the rounds that pops the
    calculator up (no, I'm not going to point you to the PoC code, it is easy
    enough to find if you read any of the standard mailing lists), but it is a
    relatively trivial mod to turn that into something more destructive (in fact
    one of our readers, Matt Davis, has provided us with a version that he created
    that is more destructive). For that reason, we're raising Infocon to yellow
    for the next 24 hours.

    Workarounds/mitigation
    Microsoft has posted this and suggests that turning off Active Scripting will
    prevent this exploit from working. You could, of course, always use another
    browser like Firefox or Opera, but remember that IE is so closely tied to other
    parts of the OS, that you may be running it in places where you don't realize
    you are.

    One of our readers asked whether DropMyRights from Microsoft would provide any
    protection. We haven't had an opportunity to test that out.

    I understand a snort signature to detect the exploit has been checked in to
    bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.

    References
    Original Secunia bulletin: http://secunia.com/advisories/18680/
    Microsoft blog: http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx

    ------------------------
    Jim Clausing, jclausing --at-- isc.sans.org
    Microsoft Security Advisory (917077) (NEW)
    Published: 2006-03-23,
    Last Updated: 2006-03-24 03:41:08 UTC by Deborah Hale (Version: 2(click to
    highlight changes))

    Microsoft has just released a Security Advisory for the vulnerability in the
    way HTML Objects. This is the reason the Internet Storm Center went to yellow
    this evening.

    From the Microsoft advisory:

    "Microsoft has confirmed new public reports of a vulnerability in Microsoft
    Internet Explorer. Based on our investigation, this vulnerability could allow
    an attacker to execute arbitrary code on the user's system in the security
    context of the logged-on user. We have seen examples of proof of concept code
    but we are not aware of attacks that try to use the reported vulnerabilities or
    of customer impact at this time."

    Microsoft Suggested Workarounds:

    * Configure Internet Explorer to prompt before running Active Scripting or
    disable Active Scripting in the Internet and Local intranet security zones.
    * Set Internet and Local intranet security zone settings to "high" to prompt
    before Active Scripting in these zones.

    http://www.microsoft.com/technet/security/advisory/917077.mspx

    Microsoft says that they are still investigating and will provide more
    information as it becomes available. So stay tuned for further updates.
     
    Mark Robinson, Mar 24, 2006
    #1
    1. Advertising

  2. and while I remember, anyone running sendmail should patch before the same
    thing happens there
     
    Mark Robinson, Mar 24, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QWxpYXM=?=

    Open Port Exploits

    =?Utf-8?B?QWxpYXM=?=, Mar 1, 2006, in forum: Wireless Networking
    Replies:
    3
    Views:
    11,899
    Jack \(MVP-Networking\).
    Mar 2, 2006
  2. AeoN

    NEW MYDOOM VARIANT EXPLOITS IE FLAW

    AeoN, Nov 13, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    393
  3. AeoN
    Replies:
    0
    Views:
    464
  4. Imhotep

    REAL-TIME EXPLOITS TRACKING WITH ANTI-EXPLOIT

    Imhotep, Sep 16, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    1,490
    Imhotep
    Sep 16, 2005
  5. Au79

    Trojan exploits Word vulnerability

    Au79, May 24, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    383
Loading...

Share This Page