Another Zero-Day IE Scripting Exploit

← Back to Stories (view on slashdot.org)

Another Zero-Day IE Scripting Exploit

Posted by Hemos on Wednesday June 9, 2004 @03:47AM from the what-wonderful-toys-they-have dept.

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

19 of 696 comments (clear)

Min score:

Reason:

Sort:

BugTraq by Mz6 · 2004-06-09 03:47 · Score: 5, Informative

Posted to BugTraq 6/7.. 2 days ago...
Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.

--
Hmmm.
1. Re:BugTraq by GSloop · 2004-06-09 09:19 · Score: 4, Informative
  
  How about this...from one of the creators of the Internet...
  
  Vint Cerf responded to MSNBC
  
  From http://www.msnbc.com:80/news/249325.asp (which has apparently subsequently timed out). See also ``Revisionist Internet History.'' --jsq
  
  Vint Cerf responded to MSNBC's questions about the Net's origins with this e-mail:
  
  VP Gore was the first or surely among the first of the members of Congress to become a strong supporter of advanced networking while he served as Senator. As far back as 1986, he was holding hearings on this subject (supercomputing, fiber networks...) and asking about their promise and what could be done to realize them. Bob Kahn, with whom I worked to develop the Internet design in 1973, participated in several hearings held by then-Senator Gore and I recall that Bob introduced the term ``information infrastructure'' in one hearing in 1986. It was clear that as a Senator and now as Vice President, Gore has made it a point to be as well-informed as possible on technology and issues that surround it.
  
  As Senator, VP Gore was highly supportive of the research community's efforts to explore new networking capabilities and to extend access to supercomputers by way of NSFNET and its successors, the High Performance Computing and Communication program (which included the National Research and Education Network initiative), and as Vice President, he has been very responsive to recommendations made, for example, by the President's Information Technology Advisory Committee that endorsed additional research funding for next generation fundamental research in software and related topics. If you look at the last 30-35 years of network development, you'll find many people who have made major contributions without which the Internet would not be the vibrant, growing and exciting thing it is today. The creation of a new information infrastructure requires the willing efforts of thousands if not millions of participants and we've seen leadership from many quarters, all of it needed, to move the Internet towards increased availability and utility around the world.
  
  While it is not accurate to say that VP Gore invented Internet, he has played a powerful role in policy terms that has supported its continued growth and application, for which we should be thankful.
  
  We're fortunate to have senior level members of Congress and the Administration who embrace new technology and have the vision to see how it can be put to work for national and global benefit.
Not everyone can use Mozilla... by TrentL · 2004-06-09 03:50 · Score: 4, Informative

Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here.
1. Re:Not everyone can use Mozilla... by stecoop · 2004-06-09 04:02 · Score: 4, Informative
  
  I'm running Mozilla on a restricted computer. Go download the ZIP files and simply extract them to any folder you can write to even if that means in your home directory on unix or My documents on NT.
  
  Here is the path for the latest release candidate of Mozilla just unzip and run mozilla.exe:
  http://ftp.mozilla.org/pub/mozilla.org/mozilla/rel eases/mozilla1.7rc3/mozilla-win32-1.7rc3.zip
  
  Have Fun!
2. Re:Not everyone can use Mozilla... by AKnightCowboy · 2004-06-09 04:55 · Score: 4, Informative
  
  Why would they want to take such a risk by running Internet Explorer?
  Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box. Our Mac users must use a Citrix server to access Windows to access the system. It's very stupid to come up with such a broken system, but that's the way the cookie crumbles.
  Our time card program is another app that simply doesn't work on anything other than IE 6 on Windows.
Re:Yet again... by irokitt · 2004-06-09 03:54 · Score: 4, Informative

Even more disappointing is that this hole in IE is then used to put a file on your computer, and then the file takes advantage of a local exploit that Microsoft has known about since August of 2003. Yet they have failed to patch it.

--
If my answers frighten you, stop asking scary questions.
Kudos to Norton by JMZero · 2004-06-09 03:58 · Score: 4, Informative

I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.

--
Let's not stir that bag of worms...
1. Re:Kudos to Norton by JPDeckers · 2004-06-09 04:30 · Score: 5, Informative
  
  Well, The demonstration is indeed blocked.
  But after reading the article, I tried the real installer URL, and, surprise, with Norton Antivirus (fully updated) the ad-bar WAS installed.
  As said in the article, due to various layers of encoding the javascript, detection is avoided.
  Ad-Aware luckely recognized all 34 (!!) regkeys, dll's etc.
Symantec by mrgrey · 2004-06-09 03:59 · Score: 4, Informative

Symantec catches this vulnerability as the following:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
Loca tion: Quarantine
Computer: Computer
User: User
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, June 09, 2004 11:56:26 AM

Most corporations should have little to worry about.

--
-Tolerate my intolerance
MOD PARENT UP by bircho · 2004-06-09 04:00 · Score: 4, Informative

Reference to Microsoft advice (he was trying to be funny, you insensive clod.)
.
Re:What do you mean "zero-day"? by Mz6 · 2004-06-09 04:05 · Score: 4, Informative

Get out of your pirate 0-day mindset and into a security one.
Usually, people that find a security hole will kepp it to themselves and alert the vendor about it. Then, giving them substantial time (in Microsoft's case) to fix the hole, you can release the hole and how it was exploited. When a hole is released in the wild without the vendor knowing about it, it's called 0-day.

--
Hmmm.
And the pain continues by Da_Slayer · 2004-06-09 04:06 · Score: 5, Informative

Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.

Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.

It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.

Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.

--
Push harder towards Open Media/Content
Re:100% Safe IE by afidel · 2004-06-09 04:11 · Score: 5, Informative

You only THINK you are joking:

The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
linky

This was for a previous IE link related exploit. When MS is telling not to use their product in the most basic manner expected of the product then it should be painfully obvious that the product is broken.

--
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
SP2 is not beta by Barlo_Mung_42 · 2004-06-09 04:25 · Score: 4, Informative

It is RC1 and it is available here
Exploit analysis by gmuslera · 2004-06-09 04:27 · Score: 5, Informative

As it is not directly linked by the story, in http://62.131.86.111/analysis.htm there is an analysis of the exploit that looks very helpful to understand why and how it works.
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
Re:Time to get JavaScript off your site by pesc · 2004-06-09 04:27 · Score: 4, Informative

Right... so it's time to turn to Struts and JSPs for validation every form on our site.

Yes, because you can't trust the client! You can't trust that the client has javascript turned on. You can't even trust that he is running a web browser. He may be running some cool scripts an POSTing whatever malicious data he thinks would be fun to try.

Really, if it is important to validate your data you need to do it on the server!

--

)9TSS
Re:javascript by jandrese · 2004-06-09 04:28 · Score: 4, Informative

Uh, you're forgetting about the third extremely prevelant form use of Javascript: Navigation. Many sites use javascript apps for the regular links (especially if the link is supposed to pop up a small window with a little additional information). These sites are completely unusable if you disable Javascript. The worst part is that entities like banks and businesses are the most likely to use this form of navigation (because they hired "professional" web designers).

I used to enable and disable Javascript a lot to deal with this problem, but then I swiched to Mozilla and just left it on. It hasn't been a problem for me yet.

--

I read the internet for the articles.
extremely sophisticated use of encrypted code by landoltjp · 2004-06-09 04:48 · Score: 5, Informative

Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.

Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)
Re:But wait--here's another list of vulnerabilitie by HBI · 2004-06-09 05:22 · Score: 4, Informative

You forgot to tell the reader one thing - all those bugs in Mozilla are already fixed.

None of the ones in the IE list are.

Either you don't read carefully or you are purposefully trying to mislead, I can't decide which.

--
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.