Zero-day exploit -- IE users be careful

[Jeff Agnew]

There is a zero-day exploit for Internet Explorer that allows a hacker to take control of your machine after you simply browse to a web page containing the malicious code.

Until MS issues a patch, you should either use a different browser or:

<SMALL> immediately disable "Active Scripting via the Tools > Internet Options > Security tab > Custom Level feature.</SMALL>

Turning off active scripting (the MS term for Javascript) may break some web site features you need. If you still need these functions you can safely use Firefox or Opera.

[Wiz Feinberg]

<h2>Microsoft Security Advisory (911302)</h2>
<h4>Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.</h4>

Read the complete security advisory here: http://www.microsoft.com/technet/security/advisory/911302.mspx

Note that Microsoft advises administrator level users to set Active Scripting to disabled or prompt, for the Internet and Intranet Zones, as a workaround. If you do this you will need to place Windows Update and possibly your banking websites into the Trusted Sites Zone.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services</small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 22 November 2005 at 06:48 PM.]</p></FONT>

[b0b]

Every try to use the web with Javascript set to "prompt"? Painful!

[Wiz Feinberg]

<h2>Exploit Code Out for IE Flaw</h2>

Security experts have warned of the existence of exploit code for a
new flaw in Internet Explorer, that can leave systems open to remote
attack.

Security researcher - Secunia, said in its advisory, that the exploit
code aims at taking advantage of the "extremely critical"
vulnerabilities in IE 5.5 and IE 6 running on XP Service Pack 2 (SP2),
as also in IE 6 running on Windows 2000 SP4.

The exploit code was published by an organization called "Computer
Terrorism".

In the event a user is tricked into visiting a malicious Web site, the
exploit triggers off automatically without the user having to do
anything. The attacker can use the exploit to run any code on a user's
system.

Reportedly the vulnerability lies in a Javascript component of IE,
which is used to load Web pages onto a PC. The IE vulnerability has
been known for the past six months, but was earlier viewed as a
problem for denial-of-service attacks rather than remote execution of
code.

Microsoft never issued a patch for the flaw, since it was initially
believed to involve only a potential DOS attack.

Security experts say that as of now users can work around the problem, either by shutting off Javascript or using another type of browser.

A Microsoft representative said that the company is investigating the
matter, and upon completion of investigation will issue a patch either
as part of its monthly security bulletin, or in the form of a separate
security advisory.<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 24 November 2005 at 08:41 AM.]</p></FONT>

[Wiz Feinberg]

<h3>Internet Explorer flaw 'extremely critical, worse than expected'</h3>

"An unpatched vulnerability on Internet Explorer is so bad that
security expert Secunia has had to add a new category of danger to its
rating system," Nick Farrell reports for The Inquirer. "Instead of
being just critical, Secunia says that the unpatched hole is now
'extremely critical' which means that Microsoft were extremely stupid
to sit on it for six months."

Farrell reports, "S. Pearson, of computerterrorism.com, has worked out
that if a Javascript prompt box was of the right size and form to
allow the insertion of custom shellcode a remote attacker can execute
arbitrary code embedded into an otherwise normal looking Web page. You
can have a look at it in action at http://www.computerterrorism.com "

Full article here: http://www.theinquirer.net/?article=27992

Larry Loeb reports for Security IT Hub, "The vulnerability has been
confirmed on a fully patched system with Internet Explorer 6.0 and
Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft
Windows 2000 SP4. IE 5.x is also considered to be vulnerable... Since
MS has not addressed this issue in IE, the only way to mitigate is to
disable active scripting for non-trusted sites. Or don't use IE."

Full article here: http://www.security.ithub.com/article/Unpatched+IE+Flaw...


------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services</small><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 01 December 2005 at 09:36 AM.]</p></FONT>

[Ricky Davis]

Wiz; when I clicked on your "full article here"; my anti-spam immediately said it just blocked someone trying to hack into my computer???
Didn't try any of the other links....as I'm scared of that stuff now..>but just warning ya.
Ricky<font size="1" color="#8e236b"><p align="center">[This message was edited by Ricky Davis on 01 December 2005 at 01:07 PM.]</p></FONT>

[Wiz Feinberg]

Ricky;
That means that your security programs are indeed up to snuff. In my case trying to load the POC code crashed Firefox 1.5. I did not have any problems with the other links to the writeups, only when I ran the POC code.

Here is a quote from a blogger on the last site I linked to, on security.ithub.com/:
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
McAfee AntiVirus v8.0i Stops the POC Page by anonymous, 11/29/2005 5:06:58 PM

I tried the proof of concept page using a fully patched Win2K and IE6 machine. The page appeared normally, but when I clicked the link, VirusScan displayed an Alert listing files it identified as JS/Exploit-BO.gen Trojans and deleted. VirusScan also listed the script, and that execution was locked.
</SMALL><HR></BLOCKQUOTE>
Wiz<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 01 December 2005 at 02:10 PM.]</p></FONT>

[Wiz Feinberg]

I just tried out the POC test in Internet Explorer 6. IE crashed within a few seconds after clicking the link for Windows XP Service Pack 2, then closed. A few seconds later I got the crash reporting dialog box and allowed it to submit the crash analysis to Microsoft. Shortly thereafter FF (my default browser) opened to a page on MS that deals with crash reports, telling me this:
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
<h3>A workaround is available: Turn off Internet Explorer add-ons</h3>

Problem description:
The error was likely caused by Microsoft Internet Explorer.
snip
</SMALL><HR></BLOCKQUOTE>
This crash was not caused by any add-ons. It was caused by a now 6 month old unpatched vulnerability in the MSIE Javascript engine, when dealing with a specially crafted window.onload() function.<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 01 December 2005 at 04:41 PM.]</p></FONT>