Attack code targets new IE hole

Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.

The code was published on public Web sites, where it is accessible to miscreants who might use it to craft attacks on vulnerable Windows computers. Microsoft is investigating the issue, the company representative said in a statement Thursday.

"Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption," the representative said. As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls.

The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said.

IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSIRT, a security-monitoring company, said in an alert Wednesday. FrSIRT deems the issue "critical," its most serious rating. Microsoft noted that Windows 2003 running Enhanced Security Configuration is not affected.

Upon completion of its investigation, Microsoft may issue a patch for the flaw as part of its monthly release process, the company said. Microsoft is not aware of any attacks that attempt to exploit the new IE vulnerability at this time, it said.

The warning of the new flaw comes only days after Microsoft released its September patches. On Tuesday it released three updates, two for Windows and one for Office. The software maker also released a third version of an Internet Explorer fix after it botched the first two versions of the patch.

In recent months, word of new attacks has repeatedly followed shortly after "Patch Tuesday." Some experts believe the timing of the new attack is no coincidence, suggesting that attackers look to take advantage of a full month before Microsoft is scheduled to release its next bunch of fixes.

[robot999]

Not...

surprised by YET ANOTHER hole in IE7. Wasn't this release
supposed to be more secure? When will people figure out that IE is
possibly the most vunerable / worst secure software ever! Send a
message to M$! Switch to FireFox today!

[Hardrada]

Read the article!

The article clearly states that the hole exists only in IE 5.1 and 6. NOT IE7. Plus, IE7 is still in beta, so a few holes are to be expected. FYI, I personally use Firefox as my main browser and IE7 for those few Microsoft downloads, so you can't say that I'm a MS fanboy...

[Hoopskier]

IE7 is not affected

I have IE7 installed, and it actually disables the vulnerable ActiveX control when you install it. Specifically it unregisters all controls registered in Danim.dll and Daxctle.ocx.

[Sumatra-Bosch]

V I S T A P O C A L Y P S E N O W ! ! !

It's the same old crap, new wrapper and still written by slack-jawed, brain-damaged goons. The crackers will rip this puppy open in a heart beat.

Roberto

[GreyClaw]

Quick! Hide the Children!

...Not.

<sigh!>. OK, 3 Bits of common sense:

1. Software will ever be perfect because people (us) who write and use them aren't perfect.

2. A determined cracker will crack anything if it is worth his/er while.

3. Perfect security is easy. Simply build a closed, unchanging system. You won't be able to interact that system in any way once it's completed, but hey, it's SECURE.

Wait, you want to be able to use the system, right? How? ...and what about next guy? ...and what about tomorrow? Then the system will have to be able to adapt to possibilties in a myriad of combinations, won't it? The more versatile that system the greater the number combinations or eventualities it will have to make allowances for--and some "slacked-jawed goon" will have to spend hundreds of hours trying to plan for all of them.

Should Microsoft do a better job? HELL YES! ....but consider that it might take them several decades to plan for EVERY possible problem, (imagine hearing that IE ver 1, will come out next year because MS spent the last 18 years planning and fixing every possible hole in the code first), or they would have to create software that fixes itself--which would mean that the software has to think for itself. IE is full of holes and I seldom use it, but I would use it less if it was self aware and going to tell how to use and decide what it will let me do.

Lastly if MS were to disappear tomorrow and Apple or someone else ruled the market, we'd all be here in a couple of years, griping about how BrandX PC and/or OS is full of holes and needs patching, blah, blah

[explabs]

But will the Bad Guys use it?

Hi Joris,

The original sample, as provided by the discoverers was only tested on Chinese XP sp2, and IE 6.0 sp1, and in our tests would not work reliably on any of our SP2 goats. It would crash the browser, but not execute code.

Now, since then, three or four different sets of folks have figured out how to make it execute code on regular SP2, so it obviously has the potential to be really big.

Equally obviously, we have signatures for it in SocketShield, and so far, our hunting pots have not found any web sites using it so it remains to be seen if any of the Evil WebMeisters will actually use it, no matter how good it is.

Historically, they tend to prefer to be spoonfed, and not figure out the exploits for themselves, and the fact that the only published code doesn't quite work may save us all by itself.

We'll continue to monitor the situation, and will post here if we start finding them in use. Currently, all is safe,
Cheers

Roger

CTO
http://ExpLabs.com

[explabs]

We found one

Hi folks,

This is a minor heads up... our hunting pots found a website this morning that is serving a modified version of this exploit.

It's only a minor heads up, because it is

(1) so far, just a single site, and
(2) the exploit is still only an IE crash in our tests.

In other words, it's still nothing much to worry about, but everyone should be aware that people are tweaking the code and experimenting. And, of course, there might be many more sites ... we don't see everything at once.

Cheers

Roger
CTO
http://explabs.com

[extinctone]

Another day, another M$ vulnerability...

When will it end? Never, at least not while M$ is still illegally and monopolistically forcing software on to Windows (l)users.

[Seaspray0]

Who? and When?

extintone writes "at least not while M$ is still illegally and monopolistically forcing software on to Windows (l)users"

Can you some questions for me? Please state the laws that are being violated? Please name the group of windows users who are claiming microsoft is forcing their software on them? Has microsoft threatened you personally if you failed to

When will it end? Never, because dissastisfied, anti-microsoft nerds would rather moan and groan about MS products because the one they use doesn't appeal to the masses. You remind me of a sleezy politician who can only sling mud at the opponent because he's no saint either.

[pentium4forever]

IE sucks

If you haven't switched to an alternative browser that is safer, quicker to fix problems and plain better like Firefox or Opera, switch now. IE sucks. IE 6.0 is pretty much unfixable. It's sad when we release a security patch only to find out that patch created a few more vulnerabilities. That's embarassing.

[OneWithTech]

Is this really news?

Microsoft has a security leak everyday! I said this a year ago and I'll say it again:

You can't fix a house who's foundation is inadequate to hold it up!

J Gund
Tech01 Mobil
Mobil.Tech01.net

[Hardrada]

what?

No one's forcing you to use Microsoft software. What about Apple? They bundle applications with their OS too, and unlike Microsoft, there are fewer 3rd party options out there.

[fred dunn]

So set the kill bit and get over it...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400

[slim-1]

IE User's Song to the the tune of Don't Bogart Me

Role out another one, just like the other one, you've been hanging onto it, so take another hit

[Mister C]

Why IE Fails?

It is really quite simple. M$ hires people with education but little or no experience primarily to idolize Bill and feed his ego. They may have all the talent in the world but without that practical experience the mistakes will abound.