11 replies to this topic

[AplusWebMaster]

FYI...

- http://isc.sans.org/...php?storyid=877
Last Updated: 2005-11-21 21:20:36 UTC
"Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability. Disable Javascript in your Internet Explorer browsers, or switch to another browser..."
- http://isc.sans.org/...php?storyid=874
Last Updated: 2005-11-21 20:15:54 UTC
"UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration..."
...Impact:
Arbitrary executables may be executed without user interaction...
Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only..."

[AplusWebMaster]

More...

- http://www.techweb.c..._section=700028

- http://secunia.com/advisories/15546/
Last Update: 2005-11-21
"Critical: Extremely critical
...The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4.
Note: A PoC exploit has been released for this vulnerability.
Solution:
Disable Active Scripting except for trusted sites..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/...php?storyid=908
Last Updated: 2005-12-01 02:30:59 UTC
"...It was just a question of when will malware authors start exploiting this Internet Explorer vulnerability. When users visit certain web sites, a file will be dropped on their machine using this exploit. The file being dropped is currently detected as TrojanDownloader:Win32/Delf.DH. When executed, this dropper will download another trojan..."

- http://www.microsoft...r:Win32/Delf.DH
"Class/type: Trojan - Downloader
Discovered: November 29, 2005 ...
Consult Microsoft Security Advisory 911302
Microsoft Security Advisory 911302 contains information about the Internet Explorer vulnerability that TrojanDownloader:Win32/Delf.DH exploits. For details, see the advisory at: http://www.microsoft...ory/911302.mspx ..."
Updated: November 29, 2005...Added information regarding proof of concept code, malicious software, and reference to Windows Live Safety Center...
- http://safety.live.c...-US/default.htm

[AplusWebMaster]

FYI...

- http://www.techweb.c...cleId=174403362
December 01, 2005
"..."This is an extremely critical threat," said Alex Eckleberry, president of anti-spyware developer Sunbelt Software. "It's not widespread, it's not like a Sober or a Zotob, in fact we’ve seen it only a limited number of sites. But it's really, really bad. "Even running a fully patched Windows XP SP2 system, you can still get nailed"... new information points to a greater threat: that an attacker can run malicious code remotely on a compromised PC by luring users to a malicious Web site. That's exactly what's happening now, said Sunbelt's Eckleberry. On Tuesday morning, he told Microsoft that his researchers had found several Web sites which were exploiting the vulnerability to drop a Trojan downloader onto PCs. That downloader, in turn, was loading pornography-related spyware on users' systems... As is Microsoft's policy, it refused to elaborate on plans to produce a patch..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/...php?storyid=911
Last Updated: 2005-12-02 23:04:28 UTC
"...Criminal groups are starting to exploit the (still unpatched) IE vulnerability. This could get ugly soon..."

(Interesting "storyid" number...)

[AplusWebMaster]

FYI...

- http://www.websenses...php?AlertID=360
December 02, 2005
"This is a follow-up to alert: http://www.websenses...php?AlertID=347 , which outlined a new zero-day exploit for Internet Explorer for which no patch is currently available.
We are starting to see some infections of sites that are using this technique to exploit vulnerable machines and run malicious code without user-intervention. This, combined with the increase in published proof-of-concept code that performs malicious actions other than simply running calc.exe (like the original POC code), leads us to believe that more widespread infections are possible.
We have also seen sites that are attempting to use the Internet Explorer exploit but have programming logic problems and errors. A couple of these sites have also been blogs that have RSS functionality enabled...."

[AplusWebMaster]

FYI...

IE flaw opens Google Desktop
- http://www.theinquir.../?article=28125
5 December 2005
"A SECURITY boffin in Israel said that by using an unpatched flaw in Vole's Internet Explorer, he can open your Google desktop search tool and steal all your data. All the hacker has to do is lure a victim to a malicious Web page, and then all the Google Desktop contents are broadcast across the world wide wibble.
Microsoft says it is investigating, but says that it is unaware of malicious code that takes advantage of the flaw yet. Google was also a little spooked and says it is looking into it. Gillon says that all Vole has to do to stop his hack, is to fix the flaw."

[AplusWebMaster]

FYI...

First wave of trojans washes over unpatched IE
Still no patch from Microsoft
- http://www.theinquir.../?article=28147
6 December 2005
"TWO TROJANS have been seen in the wild that target an unpatched bug in Microsoft Internet Explorer. The trojans, which only require users to visit a spoof website without clicking anything, were spotted by the media friendly antivirus company Sophos. Called Clunky-B and Delf-LT, the exploits could allow malicious code to be executed remotely on a user's PC. Microsoft was expected to release an emergency patch to cover the flaw this week, as most anti-virus companies consider that the flaw rates an 11 on a scale of one to 10..."

> http://www.sophos.co...rojclunkyb.html

> http://www.sophos.co...trojdelflt.html

[AplusWebMaster]

FYI...

Google Desktop tweaked to block attackers
- http://news.com.com/...g=st.util.print
Dec 06, 2005
"Google has made an adjustment to its desktop search tool to foil attacks that take advantage of an unpatched vulnerability in Microsoft's ubiquitous Internet Explorer Web browser... "We did make an adjustment to the product to help protect users," Google representative Sonya Boralv said Tuesday. "We made the adjustment on our end. Users don't need to download a patch or take any action." The bug in IE allows an attacker to retrieve private user data or execute operations on the user's behalf from remote domains, Gillon wrote in his description of the attack method. He crafted a Web page which, when viewed in IE on a computer with Google Desktop installed, used the search tool and returned results for the query "password." A test of the proof-of-concept page created by Gillon confirmed on Tuesday that the attack no longer works..."

[AplusWebMaster]

FYI...

Malicious Website / Malicious Code: Zero-day IE Exploit Update II
- http://www.websenses...php?AlertID=364
December 07, 2005
"This is a follow-up to alert: http://www.websenses...php?AlertID=347, which outlined a new zero-day exploit for Internet Explorer for which no patch is currently available.
Websense® Security Labs™ has started to detect numerous websites, which are actively exploiting this vulnerability to execute malicious code. Visiting one of the malicious websites with an unpatched version of Internet Explorer is enough to compromise the user's workstation. The websites discovered so far are using the vulnerability to install potentially unwanted software without the end-user's consent. In the example screenshots below, a fully-patched XP workstation visits a malicious website and is immediately infected. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware.
The malicious code that is installed also connects to a website hosted in the .biz domain and downloads and runs more than 10 additional programs. The site within the .biz domain is also hosting more than 10 different files with exploit code within them to run software on a user's machine without consent. To date, we have classified thousands of websites, which are connecting to this site within an IFRAME and attempting to exploit users via HTA, CHM, and other IE vulnerabilities.
The infected website appears to have been compromised and is hosted in the United States.
There is currently no patch available. Details are available from the Microsoft Website:
http://www.microsoft...ory/911302.mspx ..."

(Screenshots available at first URL above.)

[AplusWebMaster]

FYI...(thanks for the update, Harry):

(3) New JS_Downloader viruses exploit unpatched 911302 IE vulnerability
- http://myitforum.com...2/10/17342.aspx
December 10, 2005

[AplusWebMaster]

Fix:

- http://www.microsoft...ory/911302.mspx
• December 13, 2005: Advisory updated to reference released security bulletin.
"Microsoft has completed the investigation into a public report of a vulnerability. We have issued a security bulletin* to address this issue..."
* http://www.microsoft...n/ms05-054.mspx


.