Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MS Responds to IE Vulnerabilites With Patch - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS Responds to IE Vulnerabilites With Patch
Internet Explorer Patch



Today's big news revolves around Microsoft releasing an out-of-cycle fix for the vulnerabilities recently exploited by the Download.Ject malware (among others).



This patch will turn off the ADODB.Stream ActiveX Control, which has been used
in conjunction with last weeks russian web site defacements to install malware
on unsuspecting user's PCs. Given the urgency demonstrated by last weeks exploits, Microsoft release this patch ahead of its next "Patch Day" (July 13th). However, as demonstrated by the proof of concept code below, even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the
users system without user interaction.



(Note: We verified the link and the proof of concept code appears harmless.
It will open a cmd.exe shell and wait for the user to press a key. However,
we do have no control over the exploit site and the code may change at any
time)



The underlying issue was first made public on Bugtraq about 10 month ago.



If you are using Microsoft Internet Explorer to browse the Internet, it
is suggested that you set the security level for your 'Internet Zone'
to high. This will disable the functions that lead to the exploit. However,
it will also disable windows update, unless you add the windows update
server to your list of secure sites.

Other tips:

* Be very picky about adding sites
to your set of secure sites. While the administrator may be well intended,
the russian web defacements showed that even regular sites can harbor
malicious code.

* Do not follow links to untrusted sites and be careful
in inspecting links sent to you via email.

* Run an up to date virus scanner. Not a 100% fix given the rapid deployment of malware, but it may help.

* Run a firewall with tight outbound traffic control. This will not fix the initial infection, but it may prevent a trojan from calling home and downloading additional components. It will also alert you of the malware once it attempts to call home.

Continuing MSIE exploit reports

Additionally, the ISC is continuing to receive numerous reports of malware compromising systems via Internet Explorer vulnerabilities. If you experience this (especially post-patch) please submit the relevant information for dissection by our malware analysis group.



Relevant links:



Download.Ject referenced here:

http://isc.incidents.org/diary.php?date=2004-06-24 )
The Microsoft press release:

http://www.microsoft.com/presspass/press/2004/jul04/07-02configchange.asp
BugTraq References

http://www.securityfocus.com/bid/10514/info/
*** POC EXPLOIT --- FOLLOW THIS LINK WITH CARE ****

http://62.131.86.111/security/idiots/malware2k/installer.htm
SANSFIRE: Hug^H^H^H Meet an ISC Handler



In case you've missed the banner hovering above this text, SANSFIRE 2004 begins this upcoming Tuesday in Monterey, California. Many of the ISC's handlers will be in attendance, so be sure to stop by the and say hello. Handlers expected to be present include Marc Sachs, Johannes Ullrich, Ed Skoudis, Lenny Zeltser, Toby Kohlenberg, Pedro Bueno, Mike Poor, and last and certainly least, yours truly, Cory Altheide. The IPNET is the official handlers' pen, but handlers can usually be found in the proximity of any bar with WiFi access.



See you next week!



---------------------------------

Cory Altheide

Handler on Duty
Cory Altheide

19 Posts

Sign Up for Free or Log In to start participating in the conversation!