Attack code released for IE hole

Exploit code for a new flaw in Internet Explorer could put systems at risk of remote attack, security experts warned Monday.

The exploit code, made public Monday, aims to take advantage of the "extremely critical" vulnerabilities in IE 5.5 and IE 6 running on XP Service Pack 2 (SP2), and IE 6 running on Windows 2000 SP4, security researcher Secunia said in advisory.

Once a PC user is tricked into visiting a malicious Web site, the exploit can be triggered automatically, without the user doing anything.

"An attacker could use the exploit to run any code they want to on a person's system," said Thomas Kristensen, Secunia's chief technology officer. "It could be they want to launch some really nasty code on a user's system."

The flaw lies in a Javascript component of IE used for loading Web pages onto a computer, according to an advisory from SANS Internet Storm Center.

Microsoft has not released a patch for the hole exploited by the code. People can attempt to work around the problem by either shutting off Javascript or using another type of browser, security companies advised.

Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DOS attacks, which attempt to crash a system by flooding it with data, are typically considered less-severe security risks.

"The vulnerability itself has been known about for a while, but it was only a problem for a denial-of-service attack that would sometimes cause IE to crash," said Johannes Ullrich, chief research officer for the Sans Institute. "Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack."

The exploit code was published by an organization called Computer Terrorism.

Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem, Ullrich said. He added it is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.

A Microsoft representative was not able to comment early Monday on the flaw or the exploit, but did say that the company is investigating reports of the possible vulnerability for customers using Internet Explorer while running Windows 2000 SP4 and Windows XP SP2.

"We have also been made aware of proof-of-concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time," the representative said.

Microsoft, upon completion of its investigation, will take appropriate action to protect its customers by providing a patch as part of its monthly security bulletin program or in a separate security advisory, the representative added.

[Earl Benser]

Obviously, not a concern....

... unless you are still using IE. And if you are, don't complain about
lousy security.

[vanox]

Some of us don't have a choice

Well, at least at work I don't have that choice. At home, IE is only used if any sites absolutely require it, otherwise I use alternate options (Safari, Firefox, Opera)

[Mr. Network]

It's not the browser that you use

It's how you use it. I am a Microsoft zealot as some would call me. I've never been infected with a virus or worm and I strictly use IE for all my browsing needs. So what makes me so special? Nothing. I use Norton AV and I update my machine as updates become available. I don't browse porn/wares sites so I don't see where in lies the problem. 90% of infections occur because of user's lack of precaution or knowledge which is actually a part of precaution (education).

[i_made_this]

microsoft responds...

...they haven't heard of any "customer" exploits. don't you love the irony in this battlecry? here we've got the world's largest software firm with thousands of employees each of whom - i'm taking a wild guess here - uses the affected systems at work every day. but this huge sample isn't big enough for them report an exploit. i always wondered why they simply don't say "we" haven't heard of any exploits. maybe it's because the "we" in question has known of each such exploits for a long time. no wonder the microsoft employees i know use firefox on their home systems.

[Bill Dautrive]

This is why you shouldn't use IE

MS takes forever to patch known flaws, and this has been known for more then enough time to fix it. It always takes a crises for them to get around to starting work on a fix.

It is not that Firefox is perfect, it has had flaws that needed to be patched. Not nearly as many as IE, and IE is "supposed" to be far more mature, since it has been out for ages. The big difference is that the Mozilla Foundation has a fix(not workaround) in 3-4 days, tops. Long before any flaws are exploited. This is why it is legitimate to claim that Firefox is far more secure then IE.

In short, MS is still paying lip-service to security. If you think that Vista and IE7 won't be security sieves also, I have some swampland you may be interested in.

MS security: the biggest joke and oxymoron since MS innovation.

[Wildcat0695]

You are on Point

I think it was Symantec that said a while ago that IE was more secure. Here is the proof that it is not. I use Firefox 95% of the time. It's a better browser and security issues are addressed 100% better.

[Llib Setag]

?

?

[royc]

re:"?"

What are you trying to say?

And who are you talking too?

Does Not work for me

I have tried to run the proof of concept, which is available at:
http://www.computerterrorism.com/research/ie/poc.htm
My machine is IE 6 on Windows XP, SP2.
Other than hanging IE the script was not able to do anything even after waited for around 1 hour.

However, Microsoft should look into it closely and seriously. The Proof of Concept failed on my machine that does not guarantee it shall fail on other machine too.

A cat is gone if the pigeon closes his eyes.

~Shantanu
http://godisnear.blogspot.com

[n3td3v]

UK HACKERS ROOLS J00

U.K HAX0RS R LEET0R THAN U.S

[Mutex]

Well

We've got something to be proud of then eh. :?

[ScullyB]

n3td3v, is that you?

what ever came of your virtual suicide? was that only for the lucky full-disclosure crew?

[J_Satch]

WOW!

What an incredibly intelligent and relevant post. Idiot.

[n3td3v]

DOUBLE WHAMMY

THE SAME VULNERABILITY CAUSES A DoS in FIREFOX.

[newerawisp]

THIS IS NOT THE FIRST HOLE

A few months ago there was a story in Beta news where in the government warned of such a thing. Not a similar thing. Exactly such a thing. and if I remember it correctly it was the flaw in Internet Explorer. It seems the Hackers do not bother to look for the flaws in Netscape. they might look for one in Mozilla or open source but not in Netscape. It seems they want to lock horns with Blog.

We are so lucky that the Government warns of Computer terrorism although such a terrorism could easily translate to real life terrorism if the terrorism related to Government agency Files. If these files were broken into it would not be broken into.

as a matter of fact thye government makes its files very air tight. But then it can't open these files itself. There was an article to that extent. It is like my handwriting. I can't read it myself.

It is time that the internet infrastructure being used now should be abandoned in favor of a new one as discussed in the following two blogs

http://www.newerawisp.blogspot.com/
http://www.blogomonster/fakir005/

The infastructure used to be in place before the internet era. as a matter of fact it is no infrastructure. it is a method of remote computing. In those days people remote computed by using a terminal no more sophisticated than a key board because there were no cellphones. Now we have cellphones that are owned by everyones although I don't have one and Regis and Kelly don't have one.

If that form of computing was reviewed the cellpone could serve as a client and the files could continued to be stored on line. and the browsing duties could be handled by the server.

But then all that sophistication, that has been acquired by the programmers, would not be needed.

[newerawisp]

IINCOMPLETE LINK

The second link is incomplete.

The complete link is

http://www.blogomonster.com/fakir005

[Earl Benser]

This makes any sense to anyone????

nt

[ZenWarrior]

I.E. [can be] safe, too.

Granted, I don't run an "out-of-the-box" version of I.E., but an exploit check of this with the I.E.-based Maxthon came back just clean as a whistle--just like FireFox. That is, I discovered absolutely no risk from this particular "risk."

And with I.E. (vs. FireFox), I don't have to concern myself with plug-ins being broken, poorly coded, or in need of an update which isn't available, and also no web site compatibility issues. In other words, all of the good and no more of the bad than with any other browser.

[dankdweiss]

Market %

Regardless of what browser you choose, IE, Firefox, Opera, Netscape; One thing will always be true:
The most vulnerable browser will always be the one that the most people use.
The simple fact remains 98% of the people browsing the internet use IE, and until that changes virus/exploit writers will continue to write code targeting IE systems, period.