Samker's Computer Forum - SCforum.info
World TOP Headlines: => Latest Security News & Alerts => Topic started by: Samker on 02. November 2010., 09:29:56
-
(http://1.bp.blogspot.com/_gvuiuxortv8/TDU5G-W6sCI/AAAAAAAAJDA/fy8m2vtBsdc/s1600/IE-Critical-vulnerability.jpg)
For almost two years, Microsoft's Internet Explorer browser has been vulnerable to attacks that steal digital security tokens and other sensitive data, a security researcher said recently.
Researcher Chris Evans said he alerted Microsoft to the information disclosure vulnerability in IE in December 2008. As of October 21, it remained unfixed, making his disclosure a “600-day” vulnerability, he quipped: http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html (http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html)
The bug resides in the IE mechanism for handling Javascript and runtime errors. In some cases, cross-origin content can be echoed back to attackers, allowing them to retrieve sensitive javascript variables. Once upon a time, this proof of concept exploited the vulnerability to steal a security token Google Reader uses to prevent XSRF, or cross-site request forgery, attacks. It has since been neutered by changes Google made, but when it worked, it forced the user to subscribe to a goat-farming feed without asking for permission: http://scary.beasts.org/misc/reader.html (http://scary.beasts.org/misc/reader.html)
“There are a varied number of text structures which can be stolen (iteratively if necessary) with this trick,” Evans warned.
Firefox was once vulnerable to similar attacks but maintainers of the open-source browser fixed the flaw in December 2008. That was the same month Microsoft was informed of the vulnerability, but it has been allowed to remain.
A Microsoft spokeswoman on Monday issued the following statement, which she attributed to Jerry Bryant, a spokesman for Microsoft response:
"Microsoft is aware of the public posting of a low severity information disclosure issue in Internet Explorer. A successful attack requires a victim website to be configured in a specific way which is non-standard for most sites. We are not aware of any attacks seeking to exploit this issue and will update customers if that changes."
(ElReg)
-
What You Need to Know About New IE Zero-Day
Internet Explorer is under attack again. Microsoft has issued a security advisory explaining a newly-discovered exploit impacting most versions of the Internet Explorer Web browser: http://www.microsoft.com/technet/security/advisory/2458511.mspx (http://www.microsoft.com/technet/security/advisory/2458511.mspx)
The security advisory contains details about the threat, as well as some guidance to protect vulnerable browsers pending a patch from Microsoft to fix the hole.
Andrew Storms, Director of Security Operations for nCircle: http://www.ncircle.com/ (http://www.ncircle.com/) , commented on the new threat, "It's always a serious concern when an IE zero-day surfaces, especially when it affects all versions of the browser. It's a little late for Halloween, but two zero days in one week is almost enough to make IT security teams run away screaming."
Storms added, "There is some good news however; Microsoft says the attacks are limited at the moment and data execution prevention (DEP), a security safeguard in newer versions of Windows, may be able to prevent attack execution."
A spokesperson from Symantec e-mailed me with these details. "A new zero-day vulnerability affecting Internet Explorer 6 and 7 is being used in targeted attacks. In these attacks people receive emails with a link pointing to a page which determines if a visitor is using Internet Explorer 6 and 7. If so, the script transfers the visitor unknowingly to the page hosting the exploit where malware is downloaded and runs on their computer without any user interaction. The vulnerability allows for any remote program to be executed without the end user's notice."
According to a post on the Microsoft Security Response Center blog: http://blogs.technet.com/b/msrc/ (http://blogs.technet.com/b/msrc/) , the issue also affects Internet Explorer 8, but not the beta of Internet Explorer 9. Microsoft also stresses, though, that while IE8 might be technically vulnerable, its superior security controls make it unlikely that it could be exploited. "Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue. This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms."
A Symantec blog post describes the threat: http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks (http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks) , and the e-mails used to initiate the exploit. The discovery of this attack was related to targeted e-mails sent to a limited number of potential victims--indicating that perhaps the attackers were seeking to compromise specific targets rather than any random vulnerable system connected to the Internet.
The Symantec post explains, "Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a .gif extension. These small files are actually encrypted files with commands telling the Trojan what to do next."
The Microsoft security advisory lists mitigating factors and workarounds to help users and IT admins guard against this threat. Microsoft recommends that users read e-mail messages in plain text, rather than HTML. Users of Internet Explorer 7 can turn on DEP--which is present, but not enabled by default--to offer additional protection.
Those unfortunate souls that still rely on Internet Explorer 6 are directed to set the Internet and Local Intranet security zones in the browser to High in order to block execution of Active X controls and scripts. In addition, a custom CSS style can be forced to override the Web CSS style sheets to prevent exploit, and organizations can also use the Enhanced Mitigation Experience Toolkit to take advantage of newer security controls on older, less secure software.
Arguably, the simplest solution, though, is to simply install the beta version of Internet Explorer 9: http://scforum.info/index.php/topic,4709.0.html (http://scforum.info/index.php/topic,4709.0.html)
Then you can protect your PC against this attack, and experience the new features and benefits of IE9 at the same time.
(PCW)