Microsoft plans to release a pre-patch advisory with workarounds for a “highly critical” vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers.
The advisory, which will be posted here, acknowledges a code execution hole that was discovered and publicly reported by Secunia Research of Copenhagen, Denmark.
Vulnerability :
The vulnerability is caused due to an error in the processing of the “createTextRange()” method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.
Solution :
Disable Active Scripting support.
The MSRC (Microsoft Security Response Center) said in a blog entry that users of the new refresh of the IE7 Beta 2 Preview announced at Mix '06 are not affected.
Customers who use supported versions of Outlook or Outlook Express aren’t at risk from the e-mail vector since script doesn’t render in mail [being read in the restricted sites zone].
[break=Exploit Unleashed for IE Hole]
Update
**Exploit Unleashed for IE Hole **
Proof-of-concept exploit code for a “highly critical” IE vulnerability hits the Web just as Microsoft issues an advisory with temporary workarounds.
The SANS ISC (Internet Storm Center) warned that a proof-of-concept code has already been unleashed that could be easily modified into a dangerous exploit.
The ISC’s threat meter has been raised to “yellow” to sound alarm bells for what is deemed a “significant” new threat.
[break=WMF-Like Zero-Day Attack Underway]
Update
**WMF-Like Zero-Day Attack Underway **
The first wave of zero-day attacks against an unpatched flaw in Microsoft’s Internet Explorer browser has begun and security experts warn that the threat will grow significantly over the weekend.
Less than 24 hours after Microsoft issued an advisory with interim workarounds for IE users, malware hunters have started detecting drive-by downloads on more than 20 maliciously rigged Web sites.
eWEEK has seen a list of more than 20 unique domains and 100 unique URLs hosting the exploits, which are dropping a variant of SDbot, a dangerous family of backdoors that give hackers complete ownership of infected computers.
Exploits Spreading :
SDbot allow attackers to control victims’ computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. The backdoors have also been used as a keylogger to steal sensitive user information and spread to local network and to computers vulnerable to exploits.
According to Dan Hubbard, senior director of security and technology research at Websense Security Labs, his company’s honeyclient crawler is capturing about 10 new malicious URLs every hour.
“Some of these attackers are the same people that were exploiting the WMF vulnerability. They’re using the same Web sites,” Hubbard said. “This will continue to get worse over the weekend, especially if they can figure out how to get the exploits to work efficiently.”
“One of the interesting things we’re seeing is that the shell code doesn’t work on a lot of these sites. That suggests they’re testing the exploits and getting ready to do some major damage,” he added.
In addition to SDbot variants, Hubbard said the sites are dumping spyware and keystroke loggers on machines without requiring any user action.
“The sheer percentage of sites that are compromised versus owned by the attacker is higher than usual,” Hubbard noted. In particular, he said several travel-related sites that are hosted on different networks have been compromised.
Roger Thompson, a security researcher attached to Atlanta-based Exploit Prevention Labs, expects to see more than 5,000 malicious sites over the next few days.
“You can expect to see rootkits coming down the pipe within the next 24 hours,” Thompson said.
Microsoft’s Response :
Microsoft said it is aware of “limited attacks” and is actively monitoring the exploitation attempts and working with industry partners and law enforcement to shut off the malicious Web sites.
In the absence of a patch, Microsoft recommends that IE users configure the browser to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.
In addition, IE users can set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zones.
The company is preparing a comprehensive patch to correct the vulnerability, which is caused by an error in the processing of the “createTextRange()” method call applied on a radio button control.
[break=Microsoft mulls rushing out IE patch]
Update
Microsoft mulls rushing out IE patch
Microsoft may rush out a security update for Internet Explorer to fix a flaw that is now being exploited to attack Windows systems, security companies say.
Computer code that demonstrates how a hacker can use the flaw to take over a PC was released onto the Net on Thursday. At least two such exploits were made public, and one has now been adapted to attack systems.
“This exploit code is being used in the wild in malware,” or malicious software, IJzerman said. “I expect other attacks to be prepared and to be out there over the next few days.”
In a security advisory issued on Thursday, Microsoft said it will address the vulnerability in a security update, but did not say when that patch would be delivered. Its next “Patch Tuesday” bundle of fixes is scheduled for April 11. On Friday, however, Microsoft indicated that a security patch might be released outside of the regular cycle.
“It is on the table,” said Stephen Toulouse, a program manager in Microsoft’s Security Response Center. “Every time any kind of exploitation is going on, it is on the table.”
The last time Microsoft issued a fix early was in January. Microsoft rushed out a fix for a serious vulnerability in the way Windows handled the Windows Meta File image format. That flaw was also being abused to attack Windows users.
Meanwhile, Microsoft has offered a work-around for users to protect themselves. Disabling active scripting in the browser will prevent the attack, according to the Microsoft security advisory.
The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 as well as IE 7 Beta 2 Preview, according to security experts. Microsoft, however, in its advisory lists the IE7 browser as immune.
[break=Microsoft preps IE flaw fix, sites exploiting bug multiply]
Update
Microsoft preps IE flaw fix, sites exploiting bug multiply
The software company is working on a fix for a flaw in Internet Explorer that security experts say is being used by a growing number of Web sites to install spyware on users’ computers.
As of Monday, security firm Websense Inc. said the number of unique Web sites taking advantage of the vulnerability had remained at about 200 since Sunday, given that the number of sites taken down have been replaced with a roughly equal number of new sites. The overall number, however, were expected to grow over time.
An entry on the Microsoft Security Response Center blog said the company was seeing “only limited attacks.” Nevertheless, Microsoft was working on a fix that would be ready at least by April 11, the next regularly scheduled patch day, if not sooner.
“The IE team has the update in process right now and if warranted we’ll release that as soon as it’s ready to protect customers,” the posting said.
[break=Security firm plugs Internet Explorer hole]
Update
Security firm plugs Internet Explorer hole
Security vendor eEye Digital Security has created a temporary patch that protects end users and enterprises from an unpatched vulnerability in Internet Explorer.
The vulnerability is caused by an error in the way that the browser processes a ‘createTextRange’ call on a radio button. The bug could allow attackers to take control of a system by luring victims to a specially crafted website.
Attackers are actively exploiting the flaw and Microsoft has hinted that it might release an out of cycle patch.
The Redmond giant had advised users to disable Active Scripting in their browser settings (instructions can be found at** Microsoft’s support website**).
Microsoft has not certified the eEye patch. The security firm recommended that users try disabling Active Scripting first and use its workaround only if this does not work.
“EEye’s patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix,” said Marc Maiffret, co-founder and chief hacking officer at the security company.
“In fact, eEye has engineered the patch to automatically remove itself when Microsoft’s official patch comes through.”
[break=Security firm Determina releases a runtime fix]
Update
Security firm Determina releases a runtime fix
Determina has engineered a standalone fix that provides free and immediate protection to users worldwide that need to protect systems from related attacks until such time as Microsoft issues its own patch. Note that current Determina VPS customers do not have to apply this patch as they have been protected against this attack without the need for any update.
The source code of the Shield is included in the download for review by any independent security expert.
This free, standalone fix from Determina can be downloaded from the following link:
Overview :
This is a runtime fix for the IE createTextRange() vulnerability. It can be applied to Windows 2000, XP and 2003 systems running Internet Explorer 5.01 and 6.0. The vulnerability lies in the MSHTML.DLL rendering engine which is loaded into many applications for HTML rendering, including but not limited to Internet Explorer and Microsoft Office.
The installation of the fix consists of adding the fix DLL to the AppInit_DLLs registry key in
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
The MSI installer will do this automatically. This will enable loading this fix DLL into all the vulnerable applications. The fix does not modify any file or application on the disk. It will only modify the vulnerable applications and DLLs in memory. The fix will not be applied to any processes that are running at the time of the installation. To enable the patch, you have to restart IE, Outlook and any other process that need to be protected. After the installation, run status.exe to verify that your system is protected. If you have a version of MSHTML.DLL that the patch does not support, status.exe will report that the protection is not active.
Once Microsoft releases an official patch and it is installed by the user, the Determina Shield will not be applied any more. Determina recommends uninstalling this fix even though keeping it active will not affect the system. To uninstall the fix, use “Add Remove Programs†in the Control Panel. To uninstall it manually, remove the DLL from the AppInit_DLLs key and restart your machine. You can then safely delete the DLL.
This tool requires administrative privileges on the vulnerable machines in order to install the fix.
[break=Hackers Use BBC News as IE Attack Lure]
Update
Hackers Use BBC News as IE Attack Lure
he ongoing zero-day attacks against users of Microsoft’s Internet Explorer browser have taken an ominous, social-engineering twist.
According to an alert issued by Websense Security Labs, in San Diego, excerpts from actual BBC News stories are being used to lure IE users to Web sites that launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.
One version of the spammed e-mail seen by eWEEK contains a portion of a BBC News item published on March 27 about the Chinese yuan hitting a post-revaluation high against the U.S. dollar.
After the legitimate excerpt, the hackers embedded a “read more” link that points to a Web site that contains a spoofed copy of the BBC News story from the e-mail.
Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action.
The keylogger monitors activity on various financial Web sites and uploads captured information back to the attacker. It appears that this is the work of a well-organized identity theft ring, stealing bank log-ins and other sensitive user information.
The latest twist comes almost a week after the first wave of attacks started dropping a variant of SDbot, a type of back-door attack that gives hackers complete control of infected computers. SDbot allows attackers to control victims’ computers remotely by sending specific commands via IRC (Inter Relay Chat) channels.
The earlier exploits were being launched from several legitimate Web sites that were hijacked and seeded with malicious code. These include an airline ticketing system, an insurance sales site and a site that sells e-commerce software.
[break=Disable IE’s Active Scripting To Protect Against Bug]
Update
Disable IE’s Active Scripting To Protect Against Bug
Microsoft’s preferred workaround for the createTextRange bug is to disable Active Scripting to prevent any JavaScript code from running. Here’s a step-by-step guide
While users wait for Microsoft to patch the most recent zero-day vulnerability in Internet Explorer, security experts agree that the best way to protect PCs is to dump the browser’s Active Scripting function.
Even eEye Digital Security, one of two commercial security vendors that has released unsanctioned, temporary patches for the problem, said so.
“Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation,” eEye warned in the advisory accompanying the patch.
Microsoft’s preferred workaround for the createTextRange bug is to disable Active Scripting so as to bar any JavaScript code from running. In fact, this isn’t the first time that Microsoft has urged users to switch off Active Scripting; in early December, it used the same advice when another unpatched vulnerability was wreaking havoc.
**Here’s how to turn off Active Scripting: **
– In Internet Explorer, click Internet Options on the Tools menu.
– Click the Security tab.
– Click Internet, and then click Custom Level.
– Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
– Click Local intranet, and then click Custom Level.
– Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
– Click OK two times to return to Internet Explorer.
Doing so, however, will break some sites and/or functions within sites, as Microsoft itself warned in the security advisory posted last week and updated Wednesday.
“Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly,” the advisory went. “If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.”
[break=New Generation of IE Malware Now Circulating]
Update
[B]New Generation of IE Malware Now Circulating
April security patches address serious vulnerabilities in IE and Windows.
Exploit is based on earlier flaw but considered more dangerous[/B]
Hackers have posted a new version of malicious software that will make it easier for them to exploit an unpatched vulnerability in Microsoft’s Internet Explorer browser. Based on a critical bug disclosed on March 22, the software was posted by hackers today to the Milw0rm.com Web site.
The code exploits a flaw in the way IE processes Web pages using the createTextRange() method. Hackers have been using malware that takes advantage of this vulnerability to install unauthorized software on victims’ computers over the past week, but this new generation is considered to be more dangerous, according to security researchers.
How It Works
Older versions of the malware could freeze victims’ browsers for more than a minute, giving them an opportunity to shut down their computers or stop the malicious software before it could complete its work. But the new software works more quickly, meaning it will be particularly effective on older machines with limited memory and processing capabilities, says Craig Schmugar, researcher with McAfee Avert Labs.
The software also uses new techniques to avoid certain types of signatures used by antivirus vendors, says Aviv Raff, a security researcher based in Israel. “It’s much more effective,” he warns. “I think people should know and understand that … now they are more vulnerable.”
Official Fix Not Expected Until April 11
With a fix for the problem expected as late as April 11–the date of Microsoft’s next scheduled security update–security companies Determina and eEye Digital Security have issued unsupported patches for the problem. According to eEye, there have been more than 70,000 downloads of its software since its Monday release.
Microsoft does not recommend that users install these patches. Instead, it recommends that disabling IE’s Active Scripting feature as a workaround.
[break=Critical IE fix due Tuesday]
Update
Critical IE fix due Tuesday
Microsoft has confirmed it plans to release a fix for a serious security bug in Internet Explorer next Tuesday (11 April). The fix for the “CreateTextRange” vulnerability - which has become the subject of hacker exploits over recent days - will be released as a cumulative update to Internet Explorer along with four other security bulletins.
Late last month, numerous maliciously constructed websites began attempting to exploit the “CreateTextRange” vulnerability to install Trojans, botnet clients and other forms on malware on victim PCs. This malicious activity, together with the lack of an immediate fix from Microsoft, prompted two security firms (Determina and eEye Digital Security) to each issue standalone patches to mitigate the risk of attack. Microsoft advised orgainsations to disable Active Scripting as a workaround.
Internet Explorer has become the subject of a number of unpatched vulnerabilities over recent weeks. In the latest such incident, security notification firm Secunia warned this week of an unpatched flaw in IE that might be used to spoof the address bar in a browser. Because of this behaviour, the bug might be used to make phishing attacks more convincing.
[break=Microsoft Releases Long-Awaited Internet Explorer Patch]
Update
Microsoft Releases Long-Awaited Internet Explorer Patch
Microsoft today released its security software patches for April, addressing an unpatched bug in Internet Explorer that hackers had been exploiting for several weeks.
As expected, the company released five patches, called “updates” in Microsoft parlance, addressing a number of critical vulnerabilities in IE and Windows. Microsoft also released an update for Outlook Express, rated “important,” and a fix for Windows FrontPage Server Extensions and SharePoint Team Services 2002, rated “moderate.” Here’s a description of what Microsoft released.
In Microsoft’s rating system, the most serious vulnerabilities are rated “critical,” meaning they could allow unauthorized software to be installed without user action. The “critical” designation is followed by “important,” and then “moderate.”
Finally, the IE Patch
The most anticipated part of this month’s update is the MS06-013 patch, which fixes several IE bugs, including the “create TextRange ()” vulnerability reported last month. Hackers had been exploiting this problem by installing unauthorized software on PCs accessed after tricking users into visiting sites that took advantage of the bug.
The problem was serious enough that security vendors eEye Digital Security and Determina created patches to address it. On Tuesday, eEye said that it had seen more than 156,000 downloads of its software, which Microsoft does not recommend.
Other Fixes
Microsoft also on Tuesday patched a similarly critical vulnerability in the way Windows Explorer handles Component Object Model objects. Attackers could take over a system by tricking users into visiting a Web site that would connect them to a remote file server. “This remote file server could then cause Windows Explorer to fail in a way that could allow code execution,” Microsoft said.
This vulnerability affects all supported versions of Windows, Microsoft said.
The third critical fix in April’s updates addresses a vulnerability in an ActiveX control, called RDS.Dataspace, which is distributed with the Microsoft Data Access Components. This software is included with the Windows operating system and is typically used by database software.
The RDS.Dataspace component problem is rated critical for Windows 98, Windows 2000, and Windows XP. It is considered a moderate risk for Windows Server 2003 users.
Download :
Cumulative security update : MS06-013 patch for the Internet Explorer browser covers a total of eight remote code execution vulnerabilities as well as one information disclosure vulnerability and one spoofing vulnerability.
Affected browsers include all versions from 5.01 to IE 6.x for XP SP2 as well as IE 6 for Server 2003 with installed SP1. Microsoft did not release patches IE7 Beta 1 users, but promised to make an update available “on Windows Update within the next two weeks.”
The company said the severity of the issues are “critical” and recommends users to update their browser “immediately.”
