November 4, 2004 1:13 PM PST

Exploit code makes IE flaw more dangerous

The threat posed by a critical flaw in Internet Explorer has been ratcheted up by the release of a program designed to exploit the vulnerability, security researchers warned on Thursday.

Security information provider Secunia raised the buffer overflow flaw to its highest rating in a new advisory. The vulnerability, which was made public on Tuesday, could be used to make Internet Explorer trigger a malicious program when the Microsoft browser loads a specially formatted Web page. The flaw does not affect Windows XP Service Pack 2, Secunia said.

"This advisory has been rated 'extremely critical,' as a working exploit has been published on public mailing lists," the company said.

The Iframe flaw is the latest in a series of security issues related to Internet Explorer. This week, ScanSafe found that a flaw in the browser had racked up the highest number of attacks for one exploit in the second quarter. In addition, Microsoft has been drawn into a debate whether a spoofing technique that uses Internet Explorer can be described as a flaw. Last month, security companies sent out a warning that a set of security holes affected Microsoft's browser among other major Web software.

Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw, the company said in an e-mail statement to CNET News.com.

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the company stated.

The software company took issue with the public release of the vulnerability before it had been notified.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

For now, users can upgrade to Windows XP SP 2 or use a different browser.

The U.S. watchdog for Internet threats, the Computer Emergency Readiness Team (CERT), has also warned government and industry users about the Iframe flaw. According to the US-CERT advisory, the problem is caused by how Internet Explorer handles certain attributes of frames, which is a way of displaying Web content in separate parts of the browser window.

The US-CERT alert notes that other programs using the WebBrowser Active X control, could be affected by the vulnerability. These programs include Microsoft's Outlook and Outlook Express, America Online's browser, and Lotus Notes.

29 comments

Join the conversation!
Add your comment
In other words
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said in the statement. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

People or organizations who find one of the countless flaws is the garbage that we throw out, should only tell us about it. That way we can ignore it.

Why is yet another critical flaw news?

What would be news is microsoft getting something right the first time, or even the fifth.
Posted by (242 comments )
Reply Link Flag
huh?
Um, in case you haven't noticed, MS is the largest and most successful software company in the history of, oh, I don't know, the PLANET.

Seems like they got PLENTY of stuff right the first time.
Posted by (127 comments )
Link Flag
IFrames in email
I started seeing IFrame spam again (after a gap of more than a year) two weeks ago.
I can only assume the hacker underground has known about this exploit for some time, and just now the word is out.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk,"

Seems to me people are already at risk - I'd rather be warned so I can be on guard. A patch might come too late.
Posted by Marcus Westrup (630 comments )
Reply Link Flag
I wonder how yours is setup
Ya know, you are not forced into viewing HTML email. The odds are pretty good that problem email is always going to be in the form of HTML (excpet for attachments).
Posted by Prndll (382 comments )
Link Flag
did you read?
A patch already exists... before the exploit even. As usual... and hey... its free and available online. What more do you want?
Posted by David Arbogast (1709 comments )
Link Flag
*yawns*
Checks to see if there are any new FireFox vulnerabilities* Nope. *goes back to work*
Posted by Jonathan (832 comments )
Reply Link Flag
Firefox.....hhhhmmmm
There is too strong a connection between Mozilla and AOL. AOL rots things.
Posted by Prndll (382 comments )
Link Flag
The first paragraph....
says that
"The flaw does not affect Windows XP Service Pack 2, Secunia said."
Looks like Microsoft already fixed the problem. It just gives people that want to continue to use IE another reason to upgrade to SP2.
Posted by (4 comments )
Reply Link Flag
Don't forget
Windows XP is less then half of the windows users, last I heard. MS is not offering the security bug fixes in SP2 to anyone who does not own XP.

That means that over 50% of the systems out there are unprotected, this is a big issue. One that MS would do well to take seriously and give everyone the security fixes. They can hold back extras like their garbage firewall from non XP users, but to without bug fixes is yet another u
nethical move on their part.
Posted by (242 comments )
Link Flag
The only real flaw.....
is upgrading. This problem is for IE6.0

6.0 does nothing for me but create problems. I see no reason to go beyond 5.5. I know that 5.5 has concerns aswell, but with each and every upgrade comes more and more vulnerabilities and problems.

The point.....Newer DOES NOT mean better.
Posted by Prndll (382 comments )
Reply Link Flag
true...
newer does not always mean better. Although newer typically means better support...
Posted by David Arbogast (1709 comments )
Link Flag
hm
I use a safari and firefox on a Mac, should I be worried? ;)
Posted by cutekangaroo (29 comments )
Reply Link Flag
geez
I don't know why ppl still continue to use microsoft ****.

They are drowning themselves being too popular and having
holes open.

ah the hell with them.
Posted by cutekangaroo (29 comments )
Reply Link Flag
There is a solution to this and many other vulnerabilities
Thirty steps to PC security:

This article describes the steps necessary to secure your Windows operating system from malicious exploits. The solutions listed below will protect you from every major vulnerability found on the Internet today, June 08, 2005. If by chance you would prefer to use tested software to enable these solutions, go to <a class="jive-link-external" href="http://www.geocities.com/turbotramp2/samurai.html" target="_newWindow">http://www.geocities.com/turbotramp2/samurai.html</a> or click <a class="jive-link-external" href="http://www.geocities.com/turbotramp2/samurai.zip" target="_newWindow">http://www.geocities.com/turbotramp2/samurai.zip</a> to download the most recent version of Samurai. This Host-based Intrusion Prevention System will secure your machine using the solutions listed below.


DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls.

This solution disables the use of insecure ActiveX controls. The registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility is updated with the GUIDs of known insecure controls that do not affect normal operation when disabled. The GUIDs are:

// ADODB control
{00000566-0000-0010-8000-00AA006D2EA4}
// Shell.Application
{13709620-C279-11CE-A49E-444553540000}
// AnchorClick DHTML Behavior
{8856F961-340A-11D0-A96B-00C04FD705A2}
// Image Control 1.0 (uses asycpict.dll)
{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}
// DHTML Editing Control
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}


PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler.

This solution prevents the use of the AIM URL protocol by replacing the insecure ActiveX GUID with a harmless substitute, in this case the HTML Help GUID is used. The AIM URL protocol is not required for normal operation and does not affect AOL Instant Messaging.

The registry key is HKCR\PROTOCOLS\Handler\aim.
The registry value is CLSID.

PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts.

This solution prevents the use anonymous sessions by setting the registry value HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous to true. This setting will not become active until the machine is rebooted. As such, The new configuration will require a reboot will be displayed when this setting is altered in Samurai.

DISABLE AUTO FILE OPEN: Disable automatic file open from explorer.

This solution prevents Explorer from opening files without first prompting the user. This is accomplished by masking all auto open bits in EditFlags values of registry keys located in HKLM\Software\Classes, HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID, HKCU\Software\Classes, HKCU\Software\Classes\Shell\Open and HKCU\Software\Classes\CLSID.

STOP BIT SERVICE: Stop the Background Intelligent Transfer Service.

This solution stops the Background Intelligent Transfer Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE URL PROTOCOLS: Disable dangerous URL protocols.

This solution disables the use of insecure URL types "ms-its, "ms-itss", "its", "mk" and "local" by removing the type entries from the HKLM\Software\Classes\Protocols\Handler and HKCR\Protocols\Handler registry keys.

DISABLE DYNAMIC ICONS: Disable insecure job icon handlers.

This solution disables dynamic icon handlers for (.job) JobObject files by removing the "IconHandler" keys from "HKCR\JobObject\shellex" and "HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone.

This solution secures My Computer Zone by resetting the values of the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0. These special settings prevent many vulnerabilities including MS05-001, MS05-008 and MS05-014. The settings are:

1001 Download signed ActiveX controls Disable
1004 Download unsigned ActiveX controls Disable
1200 Run ActiveX controls and plug-ins Prompt
1201 Initialize and script ActiveX controls not marked as safe Disable
1400 Active Scripting Allow
1402 Scripting of Java applets Disable
1405 Script ActiveX controls marked as safe for scripting Allow
1406 Access data sources across domains Disable
1407 Allow paste operations via script Disable
1601 Submit non-encrypted form data Disable
1604 Font Download Disable
1605 Run Java Disable
1606 User Data persistence Disable
1607 Navigate sub-frames across different domains Disable
1608 Allow META REFRESH Disable
1609 Display mixed content Disable
1800 Installation of desktop items Disable
1802 Drag and drop or copy and paste of files Allow
1803 File Download Disable
1804 Launching programs and files in an IFRAME Disable
1E05 Software channel permissions 196608

DISABLE GRP ASSOCIATION: Disable dangerous .grp file conversions.

This solution disables the insecure association between .grp files and MSProgramGroup by deleting both registry keys from HKCR.

DISABLE GUEST ACCOUNT: Disable the Guest Account.

This solution disables the guest account by removing account registry keys V and F from SAM\SAM\Domains\Account\Users\000001F5. The guest account is not required for normal operation and can be used by privilege escalation exploits to gain full administrative control of a machine.

DISABLE HTML APP TYPE: Disable the HTML Application MIME type.

This solution disables the HTML application type by removing the application/hta registry key from both HKCR\MIME\Database\Content Type and HKLM\SOFTWARE\Classes\MIME\Database\Content Type.

PREVENT HTML FRAME EXPLOIT: Check FRAME/IFRAME NAME field.

This solution registers an HTML filter that checks for FRAME and IFRAME tags with overly long NAMEs. The filter removes overly long names from the HTML stream to prevent a well-publicized buffer overflow. This can only be accomplished with the Samurai HIPS.

SECURE HTTP SETTINGS: Secure HTTP configuration parameters.

This solution adjusts registry values under the HKLM\ System\CurrentControlSet\Services\\HTTP\Parameters key to secure HTTP from many common vulnerabilities. The settings are:

"AllowRestrictedChars" 0
"EnableNonUTF8" 1
"FavorUTF8" 1
"MaxConnections" 0x7fffffff
"MaxEndpoints" 0
"MaxFieldLength" 16384
"MaxRequestBytes" 16384
"PercentUAllowed" 1
"UrlSegmentMaxCount" 255
"UriEnableCache" 1
"UriMaxUriBytes" 262144
"UriScavengerPeriod" 120
"UrlSegmentMaxLength" 260

PREVENT IMAGE EXPLOITS: Check image files for correctness.

This solution hooks various system calls to block Animated Cursor (.ANI) and GDI+ (.JPG) files containing buffer overflow exploits. Only files with embedded buffer overflows will be blocked from image processing. Properly formatted ANI and JPG files will not be affected by this solution. This can only be accomplished with the Samurai HIPS.

STOP INDEX SERVICE: Stop the Windows Indexing Service.

This solution stops the Windows Indexing Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

SECURE LICENSE LOGGING: Disable null session License Logging.

This solution disables insecure nullSession license logging by removing "LLSRPC" from the NullSessionPipes value of the HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters registry key.

PREVENT LSASS EXPLOIT: Prevent LSASS (Sasser based) exploits.

This solution repairs a well-known LSASS vulnerability by setting the LSASS dcpromo.log file to read only. The dcpromo.log file can be found in the system directory under the debug directory.

STOP MESSAGE SERVICE: Stop the Windows Messaging Service.

This solution stops the Windows Messaging Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This solution does not affect Instant Messaging services.

STOP NET DDE SERVICE: Stop the Net DDE Service.

This solution stops the Network Dynamic Data Exchange Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE PCT SERVICE: Disable the Private Communication Transport.

This solution disables the PCT protocol by disabling both the Client and Server registry keys under HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0. The PCT protocol is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE UPNP SERVICE: Disable the Universal Plug and Play Service.

This solution stops the Simple Service Discovery Protocol, which disables Universal Plug and Play. The SSDP service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This solution does not affect local Plug and Play operation.

DISABLE RDS: Disable the Remote Data Services Datafactory.

This solution disables 3 insecure RDS datafactory objects; RDSServer.DataFactory, AdvancedDataFactory and VbBusObj.VbBusObjCls by removing the corresponding registry keys from HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch. These objects are not used in normal operation and will not affect other Remote Data Services.

STOP REMOTE REGISTRY SERVICE: Stop the Remote Registry Service.

This solution stops the Remote Registry Service. This service is not required for normal operation and can be used to remotely reconfigure a host machine from a remote computer.

DISABLE ROOTKITS: Clear existing rootkits and prevent future loading.

This solution hooks system calls to prevent the loading of rootkits and refreshes the kernels system call table to clear existing rootkits. This solution also contains a user interface that informs the operator when attempts are made to load device drivers during normal operation. This can only be accomplished with the Samurai HIPS.

DISABLE RPC-DCOM: Disable RPC based DCOM.

This solution disables the DCOM client protocol of the Remote Procedure Call protocol by setting HKLM\Software\Microsoft\OLE\EnableDCOM to N and removing any data in HKLM\Software\Microsoft\Rpc\DCOM Protocols. The Client DCOM portion of RPC is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This setting will not become active until the machine is rebooted. As such, The new configuration will require a reboot will be displayed when this setting is altered in Samurai.

DELETE SAM FILE: Delete the backup password file.

Many Windows operating systems save a backup copy of the SAM file in the repair directory under the system directory. This file contains SMB username and password data that can be decoded by utilities such as JohnTheRipper to retrieve valid login information. The backup file is only used for emergency backup and is not required for normal operation.

DISABLE SHELL URL: Disable the Shell URL protocol handler.

The solution disables the Shell protocol handler by replacing the insecure ActiveX GUID found at HKCR\PROTOCOLS\Handler\shell\CLSID with a harmless substitute, in this case the HTML Help GUID. The Shell URL protocol is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

BLOCK SYN ATTACKS: Prevent TCP/IP SYN attacks.

This solution helps to prevent SYN Flood Attacks from disabling TCP/IP by setting the "SynAttackProtect" value of the "HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters" registry key. The value is set to 2, which adds additional delays to connection indications and allows TCP connection requests to quickly timeout when a SYN attack is in progress.

DISABLE WWW DAV: Disable Distributed Web Authoring.

This solution disables the Distributed Web Authoring service by setting the "DisableWebDAV" value of the "HKLM\System\CurrentControlSet\Services\W3SVC\Parameters" registry key. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

DISABLE WIN SERVICE: Disable the Windows Internet Naming Service.

This solution disables the Windows Internet Naming Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer.

I hope this helps,
TurboTramp
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.