18 replies to this topic

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/18680/
Release Date: 2006-03-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
...Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview. Other versions may also be affected.
Solution:
Do not visit untrusted web sites.
NOTE: The vendor is currently working on a patch..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/...hp?storyid=1209
Last Updated: 2006-03-22 19:30:08 UTC
"...'This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.' In simpler terms, its a heap overflow just waiting to happen. I doubt will have to wait long for exploit code to be published. There are no security workarounds at this time. We will keep you posted if we find out any additional information..."

[AplusWebMaster]

Update:

- http://secunia.com/advisories/18680/
Last Update: 2006-03-23
Critical: Highly critical ...
Solution:
Disable Active Scripting support.
NOTE: The vendor is currently working on a patch...
Changelog:
2006-03-23: Added link to US-CERT vulnerability note. Added link to Microsoft Security Response Center Blog. Updated "Solution" section.
Original Advisory:
Microsoft Security Response Center Blog:
http://blogs.technet.../22/422849.aspx
Other References:
US-CERT VU#876678:
http://www.kb.cert.org/vuls/id/876678 ..."

[AplusWebMaster]

FYI...

IE exploit on the loose... InfoCon to Yellow
- http://isc.sans.org/...hp?storyid=1212
Last Updated: 2006-03-23 20:55:28 UTC
"...it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive... For that reason, we're raising Infocon to yellow for the next 24 hours.
Workarounds/mitigation
Microsoft has posted this* and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are..."

* http://blogs.technet.../22/422849.aspx
"...if you turn off Active Scripting, that will prevent the attack as this requires script. Customers who use supported versions of Outlook or Outlook Express aren’t at risk from the email vector since script doesn’t render in mail (being read in the restricted sites zone)..."

[AplusWebMaster]

FYI... albeit late, and according to the Advisory, they "are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time"... 'Must be tough to see out of that Glass House:

Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
- http://www.microsoft...ory/917077.mspx
March 23, 2006 ..."

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/18680/
Last Update: 2006-03-24
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status:Unpatched
Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.x ...

...NOTE: Exploit code is publicly available...
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected...

- http://secunia.com/s...006-7/advisory/
"...Time Table
10/02/2006 - Vulnerability discovered.
13/02/2006 - Vendor notified.
21/02/2006 - Vendor confirms vulnerability.
22/03/2006 - Vulnerability reported to public mailing lists by third-party.
23/03/2006 - Public disclosure..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/...hp?storyid=1212
Last Updated: 2006-03-24 17:46:38 UTC
"Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's 'Site rank'..."

[AplusWebMaster]

FYI...

Updated Security Advisory (917077)...
- http://isc.sans.org/...hp?storyid=1217
Last Updated: 2006-03-25 22:47:43 UTC
"Microsoft Updated Security Advisory (917077)*... and says "Advisory updated with indication of limited attacks." In this instance, "attacks" = malicious websites..."

* http://www.microsoft...ory/917077.mspx
Revisions:
• March 23, 2006: Advisory published
• March 24, 2006: Advisory updated with indication of limited attacks..."

[AplusWebMaster]

FYI...

Modified Malware for the IE Exploit
- http://isc.sans.org/...hp?storyid=1221
Last Updated: 2006-03-26 02:35:18 UTC
"... There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.
This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:
C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636
It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get... the individual seems to realize that folks are on to them. I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites..."

[AplusWebMaster]

FYI...

Email attachment vector for IE createTextRange() Remote Command Execution
- http://isc.sans.org/...hp?storyid=1222
Last Updated: 2006-03-26 14:24:42 UTC

"Do You Want To Open This File?
Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".
MS doesn't have a bulletin description specific to malicious email attachments, but one of their global workarounds includes prompting or disabling active scripting in the Local intranet security zone, which addresses a malicious attachment exploit in this situation. In addition, keeping gateway email AV sigs up to date is advisable..."

[AplusWebMaster]

FYI...

- http://www.websenses...php?AlertID=451
March 26, 2006
"...To date we have discovered more than 200 unique URL's that are using the vulnerability to run exploit code. The most common is the use of shellcode to run a Trojan Horse downloader that downloads additional payload code over HTTP. The additional payload has been various forms of BOT's, Spyware, Backdoors, and other Trojan Downloader's. Our honeyclients are actively scanning for sites that are using this vulnerability to run code without user-interaction..."
----------------------------------
If you aren't using the Firefox browser, NOW would be a good time to start:
- http://www.mozilla.com/firefox/
----------------------------------

Edited by AplusWebMaster, 26 March 2006 - 01:43 PM.

[AplusWebMaster]

FYI...

- http://blogs.technet.../27/423176.aspx
Monday, March 27, 2006 12:36 AM
"...the IE team has the update in process right now and if warranted we’ll release that as soon as it’s ready to protect customers (right now our testing plan has it ready in time for the April update release cycle)..."

[AplusWebMaster]

FYI...

eEye offers temporary IE fix
- http://news.com.com/..._3-6054583.html
Published: March 27, 2006, 6:35 PM PST
Last modified: March 27, 2006, 10:50 PM PST
"eEye Digital Security released a temporary fix* on Monday for Internet Explorer to combat attacks that exploit a recently disclosed security hole in the browser. The unofficial fix blocks access to the vulnerable component in the Microsoft Web browser, preventing malicious Web sites from taking advantage of the vulnerability, said Steve Manzuik, security product manager at eEye in Aliso Viejo, Calif. Microsoft does not have a fix for the flaw available yet. Though eEye's patch does protect PCs against attacks that take advantage of the flaw, the company recommends installing the fix only as a last resort. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," Manzuik said. Disabling Active Scripting is Microsoft's suggested work-around. "This patch is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," Manzuik said. eEye, which makes an intrusion-prevention product called Blink, crafted the fix at the request of its customers, Manzuik said. "Customers who don't have Blink deployed yet were looking for a temporary solution," he said. However, eEye has made the fix available for anyone, on its Web site. Microsoft doesn't recommend installing eEye's fix. "We have not tested this mitigation tool," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "We can't recommend it because we have not tested it...Customers should weigh the risk of applying something like this to their systems"..."

* http://www.eeye.com/...AL20060324.html

.

[AplusWebMaster]

FYI...

Temporary Patches for createTextRange Vuln
- http://isc.sans.org/...hp?storyid=1226
Last Updated: 2006-03-28 12:24:34 UTC
"Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
http://www.eeye.com/...AL20060324.html . A second patch has been made available by Determina ( http://www.determina...rch272006_1.asp ).
At this point, we do not recommend applying this temporary patch for a number of reasons:
* The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
* We have not been able to vet the patch. However, source code is available for the Eeye patch, so you can do so yourself. Determina has not released source code at this point.
* Exploit attempts are so far limited. But this could change at any time.
Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft. Microsoft may not be aware of the importance of security to its customers.
We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.
Please let us know about issues (or successful installs) of either patch. We will summarize issues here."

.

[AplusWebMaster]

FYI...

MS Security Advisory 917077 (updated)
- http://www.microsoft...ory/917077.mspx
Updated: March 28, 2006
"...Microsoft has been carefully monitoring the attempted exploitation of the vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the attacks are limited in scope at this time...
Microsoft is completing development of a cumulative security update for Internet Explorer that addresses the recent “createTextRange” vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the April security updates on April 11, 2006, or sooner as warranted.
Customers who follow the suggested actions and workarounds in this advisory are less likely to be compromised by exploitation of this vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code...

• March 28, 2006: Advisory updated with information regarding additional security software protections, current limited scope of attacks, and the status of the Internet Explorer security update."

.