- Related Stories
-
IE exploit is top of the hacks
November 2, 2004 -
Microsoft debates spoofing as security flaw
November 2, 2004 -
Major browsers bitten by security bugs
October 20, 2004
Security information provider Secunia raised the buffer overflow flaw to its highest rating in a new advisory. The vulnerability, which was made public on Tuesday, could be used to make Internet Explorer trigger a malicious program when the Microsoft browser loads a specially formatted Web page. The flaw does not affect Windows XP Service Pack 2, Secunia said.
"This advisory has been rated 'extremely critical,' as a working exploit has been published on public mailing lists," the company said.
The Iframe flaw is the latest in a series of security issues related to Internet Explorer. This week, ScanSafe found that a flaw in the browser had racked up the highest number of attacks for one exploit in the second quarter. In addition, Microsoft has been drawn into a debate whether a spoofing technique that uses Internet Explorer can be described as a flaw. Last month, security companies sent out a warning that a set of security holes affected Microsoft's browser among other major Web software.
Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw, the company said in an e-mail statement to CNET News.com.
"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the company stated.
The software company took issue with the public release of the vulnerability before it had been notified.
For now, users can upgrade to Windows XP SP 2 or use a different browser.
The U.S. watchdog for Internet threats, the Computer Emergency Readiness Team (CERT), has also warned government and industry users about the Iframe flaw. According to the US-CERT advisory, the problem is caused by how Internet Explorer handles certain attributes of frames, which is a way of displaying Web content in separate parts of the browser window.
The US-CERT alert notes that other programs using the WebBrowser Active X control, could be affected by the vulnerability. These programs include Microsoft's Outlook and Outlook Express, America Online's browser, and Lotus Notes.
People or organizations who find one of the countless flaws is the garbage that we throw out, should only tell us about it. That way we can ignore it.
Why is yet another critical flaw news?
What would be news is microsoft getting something right the first time, or even the fifth.
Seems like they got PLENTY of stuff right the first time.
I can only assume the hacker underground has known about this exploit for some time, and just now the word is out.
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk,"
Seems to me people are already at risk - I'd rather be warned so I can be on guard. A patch might come too late.
"The flaw does not affect Windows XP Service Pack 2, Secunia said."
Looks like Microsoft already fixed the problem. It just gives people that want to continue to use IE another reason to upgrade to SP2.
That means that over 50% of the systems out there are unprotected, this is a big issue. One that MS would do well to take seriously and give everyone the security fixes. They can hold back extras like their garbage firewall from non XP users, but to without bug fixes is yet another u
nethical move on their part.
6.0 does nothing for me but create problems. I see no reason to go beyond 5.5. I know that 5.5 has concerns aswell, but with each and every upgrade comes more and more vulnerabilities and problems.
The point.....Newer DOES NOT mean better.
They are drowning themselves being too popular and having
holes open.
ah the hell with them.
- There is a solution to this and many other vulnerabilities
- by June 8, 2005 3:47 PM PDT
- Thirty steps to PC security:
- Like this Reply to this comment
-
(29 Comments)This article describes the steps necessary to secure your Windows operating system from malicious exploits. The solutions listed below will protect you from every major vulnerability found on the Internet today, June 08, 2005. If by chance you would prefer to use tested software to enable these solutions, go to http://www.geocities.com/turbotramp2/samurai.html or click http://www.geocities.com/turbotramp2/samurai.zip to download the most recent version of Samurai. This Host-based Intrusion Prevention System will secure your machine using the solutions listed below.
DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.
This solution disables the use of insecure ActiveX controls. The registry key ?HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility? is updated with the GUID?s of known insecure controls that do not affect normal operation when disabled. The GUIDs are:
// ADODB control
{00000566-0000-0010-8000-00AA006D2EA4}
// Shell.Application
{13709620-C279-11CE-A49E-444553540000}
// AnchorClick DHTML Behavior
{8856F961-340A-11D0-A96B-00C04FD705A2}
// Image Control 1.0 (uses asycpict.dll)
{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
// DHTML Editing Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler.
This solution prevents the use of the AIM URL protocol by replacing the insecure ActiveX GUID with a harmless substitute, in this case the HTML Help GUID is used. The AIM URL protocol is not required for normal operation and does not affect AOL Instant Messaging.
The registry key is ?HKCR\PROTOCOLS\Handler\aim?.
The registry value is ?CLSID?.
PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts.
This solution prevents the use anonymous sessions by setting the registry value ?HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous? to true. This setting will not become active until the machine is rebooted. As such, ?The new configuration will require a reboot? will be displayed when this setting is altered in Samurai.
DISABLE AUTO FILE OPEN: Disable automatic file open from explorer.
This solution prevents Explorer from opening files without first prompting the user. This is accomplished by masking all auto open bits in EditFlags values of registry keys located in HKLM\Software\Classes, HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID, HKCU\Software\Classes, HKCU\Software\Classes\Shell\Open and HKCU\Software\Classes\CLSID.
STOP BIT SERVICE: Stop the Background Intelligent Transfer Service.
This solution stops the Background Intelligent Transfer Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
DISABLE URL PROTOCOLS: Disable dangerous URL protocols.
This solution disables the use of insecure URL types "ms-its?, "ms-itss", "its", "mk" and "local" by removing the type entries from the ?HKLM\Software\Classes\Protocols\Handler? and ?HKCR\Protocols\Handler? registry keys.
DISABLE DYNAMIC ICONS: Disable insecure job icon handlers.
This solution disables dynamic icon handlers for (.job) JobObject files by removing the "IconHandler" keys from "HKCR\JobObject\shellex" and "HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone.
This solution secures ?My Computer Zone? by resetting the values of the registry key ?SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0?. These special settings prevent many vulnerabilities including MS05-001, MS05-008 and MS05-014. The settings are:
1001 Download signed ActiveX controls Disable
1004 Download unsigned ActiveX controls Disable
1200 Run ActiveX controls and plug-ins Prompt
1201 Initialize and script ActiveX controls not marked as safe Disable
1400 Active Scripting Allow
1402 Scripting of Java applets Disable
1405 Script ActiveX controls marked as safe for scripting Allow
1406 Access data sources across domains Disable
1407 Allow paste operations via script Disable
1601 Submit non-encrypted form data Disable
1604 Font Download Disable
1605 Run Java Disable
1606 User Data persistence Disable
1607 Navigate sub-frames across different domains Disable
1608 Allow META REFRESH Disable
1609 Display mixed content Disable
1800 Installation of desktop items Disable
1802 Drag and drop or copy and paste of files Allow
1803 File Download Disable
1804 Launching programs and files in an IFRAME Disable
1E05 Software channel permissions 196608
DISABLE GRP ASSOCIATION: Disable dangerous .grp file conversions.
This solution disables the insecure association between ?.grp? files and ?MSProgramGroup? by deleting both registry keys from HKCR.
DISABLE GUEST ACCOUNT: Disable the Guest Account.
This solution disables the guest account by removing account registry keys ?V? and ?F? from ?SAM\SAM\Domains\Account\Users\000001F5?. The guest account is not required for normal operation and can be used by privilege escalation exploits to gain full administrative control of a machine.
DISABLE HTML APP TYPE: Disable the HTML Application MIME type.
This solution disables the HTML application type by removing the ?application/hta? registry key from both ?HKCR\MIME\Database\Content Type? and ?HKLM\SOFTWARE\Classes\MIME\Database\Content Type?.
PREVENT HTML FRAME EXPLOIT: Check FRAME/IFRAME NAME field.
This solution registers an HTML filter that checks for FRAME and IFRAME tags with overly long NAMEs. The filter removes overly long names from the HTML stream to prevent a well-publicized buffer overflow. This can only be accomplished with the Samurai HIPS.
SECURE HTTP SETTINGS: Secure HTTP configuration parameters.
This solution adjusts registry values under the ?HKLM\ System\CurrentControlSet\Services\\HTTP\Parameters? key to secure HTTP from many common vulnerabilities. The settings are:
"AllowRestrictedChars" 0
"EnableNonUTF8" 1
"FavorUTF8" 1
"MaxConnections" 0x7fffffff
"MaxEndpoints" 0
"MaxFieldLength" 16384
"MaxRequestBytes" 16384
"PercentUAllowed" 1
"UrlSegmentMaxCount" 255
"UriEnableCache" 1
"UriMaxUriBytes" 262144
"UriScavengerPeriod" 120
"UrlSegmentMaxLength" 260
PREVENT IMAGE EXPLOITS: Check image files for correctness.
This solution hooks various system calls to block Animated Cursor (.ANI) and GDI+ (.JPG) files containing buffer overflow exploits. Only files with embedded buffer overflows will be blocked from image processing. Properly formatted ANI and JPG files will not be affected by this solution. This can only be accomplished with the Samurai HIPS.
STOP INDEX SERVICE: Stop the Windows Indexing Service.
This solution stops the Windows Indexing Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
SECURE LICENSE LOGGING: Disable null session License Logging.
This solution disables insecure nullSession license logging by removing "LLSRPC" from the ?NullSessionPipes? value of the ?HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters? registry key.
PREVENT LSASS EXPLOIT: Prevent LSASS (Sasser based) exploits.
This solution repairs a well-known LSASS vulnerability by setting the LSASS dcpromo.log file to ?read only?. The dcpromo.log file can be found in the system directory under the ?debug? directory.
STOP MESSAGE SERVICE: Stop the Windows Messaging Service.
This solution stops the Windows Messaging Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This solution does not affect Instant Messaging services.
STOP NET DDE SERVICE: Stop the Net DDE Service.
This solution stops the Network Dynamic Data Exchange Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
DISABLE PCT SERVICE: Disable the Private Communication Transport.
This solution disables the PCT protocol by disabling both the ?Client? and ?Server? registry keys under ?HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0?. The PCT protocol is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
DISABLE UPNP SERVICE: Disable the Universal Plug and Play Service.
This solution stops the Simple Service Discovery Protocol, which disables Universal Plug and Play. The SSDP service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This solution does not affect local Plug and Play operation.
DISABLE RDS: Disable the Remote Data Services Datafactory.
This solution disables 3 insecure RDS datafactory objects; RDSServer.DataFactory, AdvancedDataFactory and VbBusObj.VbBusObjCls by removing the corresponding registry keys from ?HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch?. These objects are not used in normal operation and will not affect other Remote Data Services.
STOP REMOTE REGISTRY SERVICE: Stop the Remote Registry Service.
This solution stops the Remote Registry Service. This service is not required for normal operation and can be used to remotely reconfigure a host machine from a remote computer.
DISABLE ROOTKITS: Clear existing rootkits and prevent future loading.
This solution hooks system calls to prevent the loading of rootkits and refreshes the kernel?s system call table to clear existing rootkits. This solution also contains a user interface that informs the operator when attempts are made to load device drivers during normal operation. This can only be accomplished with the Samurai HIPS.
DISABLE RPC-DCOM: Disable RPC based DCOM.
This solution disables the DCOM client protocol of the Remote Procedure Call protocol by setting ?HKLM\Software\Microsoft\OLE\EnableDCOM? to ?N? and removing any data in ?HKLM\Software\Microsoft\Rpc\DCOM Protocols?. The Client DCOM portion of RPC is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This setting will not become active until the machine is rebooted. As such, ?The new configuration will require a reboot? will be displayed when this setting is altered in Samurai.
DELETE SAM FILE: Delete the backup password file.
Many Windows operating systems save a backup copy of the SAM file in the repair directory under the system directory. This file contains SMB username and password data that can be decoded by utilities such as JohnTheRipper to retrieve valid login information. The backup file is only used for emergency backup and is not required for normal operation.
DISABLE SHELL URL: Disable the Shell URL protocol handler.
The solution disables the Shell protocol handler by replacing the insecure ActiveX GUID found at ?HKCR\PROTOCOLS\Handler\shell\CLSID? with a harmless substitute, in this case the HTML Help GUID. The Shell URL protocol is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
BLOCK SYN ATTACKS: Prevent TCP/IP SYN attacks.
This solution helps to prevent SYN Flood Attacks from disabling TCP/IP by setting the "SynAttackProtect" value of the "HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters" registry key. The value is set to 2, which adds additional delays to connection indications and allows TCP connection requests to quickly timeout when a SYN attack is in progress.
DISABLE WWW DAV: Disable Distributed Web Authoring.
This solution disables the Distributed Web Authoring service by setting the "DisableWebDAV" value of the "HKLM\System\CurrentControlSet\Services\W3SVC\Parameters" registry key. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
DISABLE WIN SERVICE: Disable the Windows Internet Naming Service.
This solution disables the Windows Internet Naming Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.
I hope this helps,
TurboTramp