latest IE flaw

Discussion in 'NZ Computing' started by Shane, Jul 1, 2005.

  1. Shane

    Shane Guest

    Microsoft has issued a security advisory for Internet Explorer, after a
    research firm published a working exploit to demonstrate how attackers
    could take advantage of the flaw.
    ------

    A patch for the flaw is not available. As an interim measure, the
    software giant advises people to set their Internet and local intranet
    security zone settings to "high" before running ActiveX controls.

    ------

    The gist of it was, SEC Consult found a bug, reported it to Microsoft, who
    couldnt reproduce the bug, so SEC Consult released working code to BugTraq

    There currently exists _NO_ Patch (and as Microsofts patching cycle is
    timed for 12th? of the month, there wont be a patch released for this bug
    at least for another 10 days, maybe more


    However every script kiddy and his tail gunner has access to the code via
    bugtraq (although I couldnt find it)
    so I am going to reprint it from thier website :)

    SEC-CONSULT Security Advisory < 20050629-0 >

    ========================================

    title: IE6 javaprxy.dll COM instantiation heap corruption

    vulnerability

    program: Internet Explorer

    vulnerable version: 6.0.2900.2180

    homepage: www.microsoft.com

    found: 2005-06-17

    by: sk0L & Martin Eiszner / SEC-CONSULT / www.sec-consult.com

    =========================================
    background:
    ---------------
    Internet Explorer supports instantiation of non-ActiveX controls, e.g COM objects,
    via <object> tags. according to M$, COM components respond gracefully to
    attempts to treat them as ActiveX controls. on the contrary, we found
    that at least 20 of the objects available on an average XP system either
    lead to an instant crash or an exception after a few reloads.

    vulnerability overview:

    ---------------
    Loading HTML documents with certain embedded CLSIDs results in null-pointer
    exceptions or memory corruption. in one case, we could leverage this bug
    to overwrite a function pointer in the data segment. it *may* be possible
    to exploit this issue to execute arbitrary code in the context of IE.

    *snip* the POC (if you want it, its easy enough to find)


    vendor status:

    ---------------

    vendor notified: 2005-06-17

    vendor response: 2005-06-17

    patch available: ?



    microsoft does not confirm the vulnerability, as their product team can not
    reproduce condition. however, they are looking at making changes to
    handle COM objects in a more robust manner in the future.



    UPDATE (2005-06-30): we have been informed that microsoft now confirms the issue,
    as it has been successfully reproduced with the version numbers listed
    above. they are currently working on a bug fix.




    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 1, 2005
    #1
    1. Advertising

  2. Shane

    Shane Guest

    snip

    Before I am accused of anti Microsoft behaviour, the reason I feel it
    should be reposted is, its unpatched, its _going to be exploited_
    and most of us here work in support (meaning we are going to see the
    effects of this over the next couple of weeks)

    The workaround released is
    Set the Internet and local intranet security zone settings to "high"
    before running ActiveX controls.


    although I myself am not sure if this is going to work

    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 1, 2005
    #2
    1. Advertising

  3. Shane

    H.O.G Guest

    On Sat, 02 Jul 2005 09:29:40 +1200, Shane <-a-geek.net>
    spoke these fine words:

    >
    >However every script kiddy and his tail gunner has access to the code via
    >bugtraq (although I couldnt find it)


    >Internet Explorer supports instantiation of non-ActiveX controls, e.g COM objects,
    > via <object> tags. according to M$, COM components respond gracefully to
    > attempts to treat them as ActiveX controls. on the contrary, we found
    > that at least 20 of the objects available on an average XP system either
    > lead to an instant crash or an exception after a few reloads.


    Oh no! They can crash IE!!

    It used to be a lot easier. You could just use the <crash> tag.
     
    H.O.G, Jul 2, 2005
    #3
  4. Shane

    Shane Guest

    On Sat, 02 Jul 2005 11:39:18 +1200, H.O.G wrote:

    > On Sat, 02 Jul 2005 09:29:40 +1200, Shane <-a-geek.net>
    > spoke these fine words:
    >
    >>
    >>However every script kiddy and his tail gunner has access to the code via
    >>bugtraq (although I couldnt find it)

    >
    >>Internet Explorer supports instantiation of non-ActiveX controls, e.g COM objects,
    >> via <object> tags. according to M$, COM components respond gracefully to
    >> attempts to treat them as ActiveX controls. on the contrary, we found
    >> that at least 20 of the objects available on an average XP system either
    >> lead to an instant crash or an exception after a few reloads.

    >
    > Oh no! They can crash IE!!
    >
    > It used to be a lot easier. You could just use the <crash> tag.


    heh..
    the POC can be changed to run arbitrary code,surely you dont treat that as
    lightly?
    eg.
    websurfer goes to naughty site, useing IE,
    Naughty site (Using the IE bug as its vector of attack) installs
    _anything_ it damn well wishes
    (Of course you would have to have seen the POC and the authors comment to
    have known this)


    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 2, 2005
    #4
  5. In article <-a-geek.net>,
    Shane <-a-geek.net> wrote:

    >The workaround released is
    >Set the Internet and local intranet security zone settings to "high"
    >before running ActiveX controls.


    Why do you need to run ActiveX controls? It was known that they were a
    stupid idea right from the beginning.
     
    Lawrence D’Oliveiro, Jul 12, 2005
    #5
  6. Shane

    Shane Guest

    On Tue, 12 Jul 2005 19:30:51 +1200, Lawrence D’Oliveiro wrote:

    > In article <-a-geek.net>,
    > Shane <-a-geek.net> wrote:
    >
    >>The workaround released is
    >>Set the Internet and local intranet security zone settings to "high"
    >>before running ActiveX controls.

    >
    > Why do you need to run ActiveX controls? It was known that they were a
    > stupid idea right from the beginning.


    windows update needs ActiveX control installed IIRC
    (which smacks of more than a little irony)

    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 12, 2005
    #6
  7. Lawrence D’Oliveiro wrote:
    >>The workaround released is
    >>Set the Internet and local intranet security zone settings to "high"
    >>before running ActiveX controls.


    There are several other workaround available including:
    Disable the Javaprxy.dll COM object from running in Internet Explorer
    Change your Internet Explorer to prompt before running or disable
    ActiveX controls in the Internet and Local intranet security zone
    Unregister the Javaprxy.dll COM Object
    Restrict access to Javaprxy.dll in Internet Explorer by using a Software
    Restriction Policy
    Remove the Microsoft Java Virtual Machine from your system using the
    Java Removal Tool
     
    Nathan Mercer, Jul 12, 2005
    #7
  8. On Tue, 12 Jul 2005 19:30:51 +1200, Lawrence D’Oliveiro
    <_zealand> wrote:

    >In article <-a-geek.net>,
    > Shane <-a-geek.net> wrote:
    >
    >>The workaround released is
    >>Set the Internet and local intranet security zone settings to "high"
    >>before running ActiveX controls.

    >
    >Why do you need to run ActiveX controls? It was known that they were a
    >stupid idea right from the beginning.


    Actually its a pretty good technology
    Activex after all is just ole taken into web pages
    Ole is a good tecnology
    activex is a plugin interface
     
    FreedomChooser, Jul 13, 2005
    #8
  9. In article <>,
    FreedomChooser <> wrote:

    >On Tue, 12 Jul 2005 19:30:51 +1200, Lawrence D’Oliveiro
    ><_zealand> wrote:
    >
    >>In article <-a-geek.net>,
    >> Shane <-a-geek.net> wrote:
    >>
    >>>The workaround released is
    >>>Set the Internet and local intranet security zone settings to "high"
    >>>before running ActiveX controls.

    >>
    >>Why do you need to run ActiveX controls? It was known that they were a
    >>stupid idea right from the beginning.

    >
    >Actually its a pretty good technology


    ....except for the security holes.

    Kind of like saying that nuclear bombs are pretty good technology ...
    except for the fallout.
     
    Lawrence D¹Oliveiro, Jul 15, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ron
    Replies:
    14
    Views:
    737
    Gunther
    Apr 14, 2005
  2. Tech.News

    Drag-and-drop flaw mars Microsoft's latest update

    Tech.News, Aug 26, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    431
    Tech.News
    Aug 26, 2004
  3. Au79
    Replies:
    0
    Views:
    518
  4. Au79

    ATTACKERS exploit latest Windows flaw

    Au79, Feb 27, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    383
    vbMark
    Feb 28, 2006
  5. Au79
    Replies:
    1
    Views:
    500
Loading...

Share This Page