IE Download.Ject Exploit Fixed

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

FYI

[arieswind]

This configuration change to the Windows XP, Windows Server 2003 and Windows 2000 operating systems improves system resiliency to protect against the Download.Ject attack.

In addition to this configuration change, which will protect customers against the immediate reported threats, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections for our customers.

Please note that this isnt a fix, it is only a configuration change to help defend against the problem and nullify the threat from the known places it is spreading from. No doubt that within a short time, whoever is behind the virus will find other places to have the virus attack from. This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

Re:FYI

Nope:

Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)
Adodb.stream provides a method for reading and writing files on a hard drive.

Quick Info
File Name:
Windows-KB870669-x86-ENU.exe

Download Size:
104 KB

Date Published:
7/2/2004

Version:
870669

Overview
Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.

It has nothing to do with known threats.

Re:FYI

[geekopus]

to release a patch to a commercial application...(you've) got to make sure you test it thoroughly because...unlike Open Source, the liability is on YOU if people can't get their work done

I agree with most of your post, but I haven't seen many manufacturers care a whit about liability. In fact, the EULA specifically absolves MS of any liability. Most OSS licenses do the same, of course, but you imply that MS can be held liable, which they cannot.

One down, ??? to go

[rjune]

For the others, Microsoft has provided customers with prescriptive guidance to help mitigate those issues.

Um

You can have Automatic Update download and even install things on Windows XP.

Re:Um

[Zed2K]

You can make it completely automatic on 2000 also.

Re:Um

[sid+crimson]

I don't need the Euro conversion utility. I don't need windows media player 9.

Autoupdate only installs "critical" patches. WM9 and the Euro tool are not such updates.

-sid

Re:Um

[TheSHAD0W]

You can set Automatic Update to ask whether you want the updates installed or not. Right-click My Computer, Properties, Automatic Updates tab, check "Keep my computer up to date", and select "Notify me before downloading any updates". (Note that this is for XP; there's a similar setting for 2K. Not sure about 98/ME.)

What about ActiveX?

[jZnat]

They might've found one way to prevent the auto-download, but there are still plenty of ways to force a download using ActiveX. Even with that, there are still a few ways to run them too; methods that are still unknown to most assholes trying to get you to buy their pills that give you bigger penis-breasts-ego-wallet-spyware-car-wife-mom-WMDs .

Microsoft released a fix a long time ago

[Sheepdot]

Ever wondered how IE exploits get a whole executable to your computer?

Wonder no more. 11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change. The problem that MS has isn't that they are incompetent, it's that they insist on leaving default features that are used by 1% of administrators like myself.

98% of spyware released since January 2004 can be avoided with the above registry fix. If you think that statistic is outrageous, I challenge you to find one piece of malware installed without using ADODB.Stream in one way, shape, or form. Be forewarned, I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

Re:Microsoft released a fix a long time ago

[egarland]

Isn't this exactly what he current fix is doing? I checked my registry after applying the fix and that key listed on that page seems to have been added.

Re:Microsoft released a fix a long time ago

[jesser]

11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change.

The registry change you point to only affects the ADODB.Stream object. While holes involving ADODB.Stream may have made up a large porportion of successful exploits by spyware (as you claim), there have been other arbitrary-code-execution vulnerabilities in Internet Explorer during the time period you mention.

I'm guessing that there have been several zone-jumping holes, and ADODB.Stream makes all zone-jumping holes into arbitrary-code-execution holes. Is that what you mean by "using ADODB.Stream in one way, shape, or form"?

I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

I find and fix Mozilla security holes as a hobby and I think you're making stuff up.

Re:Where is the notice?

[beezly]

There's a copy at http://www.kb.cert.org/vuls/id/323070. Right down at the bottom under "Use a different web browser".

M.S. claims exploits happen AFTER patch is issued

[sybarite]

I work for a consulting company that is a Microsoft Parter. Recently we had a Microsoft sponsored security seminar where the MS guy said that most exploits occur when hackers reverse engineer Microsoft security patches. This is what he defined as a "0-day exploit". I was pretty disgusted by this twisted propaganda. Any regular subscriber to BugTraq is aware of many vulnerabilities in fully patched Microsoft systems that are not corrected for months.

Re:48 Hours

[savagedome]

Stupid Mods. If you don't know what the poster is talking about, don't mod it. Just leave it and go to the next post.

He is referring to this Security Focus article

From the article,
Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

I already posted link to this article here

Fix not available yet

[mabu]

Talk about damage control... they don't have the fix on their site at the time of this writing... so it's vaporware for now.

I know of at least two very large companies who have moved to Firefox in the wake of this latest episode. I suspect many people are finally fed up, which has prompted MS to announce patches before they're even available.

Considering a recent patch to fix a vulnerability broke the complaince of IE as it relates to embedded uids/pws in URLs, I wouldn't be surprised if this "fix" ends up crippling something else.

We should start collecting wagers on what new problems this upcoming "fix" introduces. Otherwise it would probably be online by now.

HERE Re:Where is the notice?

[holy_smoke]

http://www.kb.cert.org/vuls/id/713878

"Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML)."

Re:not a troll

[jesser]

The slashdot rendering bug (bug 217527) can happen even without AdBlock. It's fixed on the trunk, so if you switch from 0.9 or 0.9.1 to a trunk nightly, you won't see the problem any more.

Re:Where is the notice?

[jufineath]

http://www.kb.cert.org/vuls/id/323070

the very last suggested solution states:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser.

i'm no web journalist, but i'd hardly call that a recommendation or urging to use a browser other than ie.

IE Download.Ject Exploit *not* fixed

[yeremein]

... this update is actually just a configuration change that disables the ADODB.Stream object from within Internet Explorer.

The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone.

No security vulnerabilities have actually been fixed here; all that's happened is that some functionality (which exacerbated existing security holes and was probably a bad idea to begin with) has been disabled.

Re:Got it, but..

[jazzmans]

I've noticed, that if you have cookies blocked from doubleclick, the mozilla/firefox browser will sit on a web page for up to 2 minutes before loading. This is especially noticible on financial web sites, and news web sites. Doubleclick is causing this, not an error in the browser.

jaz

Windows 9x and Windows ME users still vulnerable?

[prandal]

According to SecuritiyFocus. Windows 95, 98 and ME users are also vulnerable. So why is this patch only for Windows NT, 2000, XP, and 2003?

It does NOT run on Windows 98.

Oh, I remember, Microsoft only produces patches for "supported" (if that's what you can call it) products.

Re:Get the fix early here.

Yes.

Re:That reminds me...

[afidel]

Wow, tell your IT guys to use psshutdown from systinternals with a 30 second shutdown flag. Works wonderfully for me and if the user can't be bothered to save in 30 seconds the document isn't that important.

Re:Windows 9x and Windows ME users still vulnerabl

[prandal]

Chuck this into a .reg file and import.. The bit in square brackets is one line only - substitute a space for any linebreaks...

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA 4}]
"Compatibility Flags"=dword:00000400

Re:not a troll

[bheerssen]

Look, Firefox IS NOT READY for prime time. That's why it has a sub 1.0 version number, and why it is considered a 'technology preview'. In this context, some serious bugs are to be expected. Have some patience. The bug has been fixed in develepment and will make it into the normal builds in due time.

If you want to complain, complain about Seamonkey. It suffers from the same bug, yet is at version 1.7.

Oh, and btw, [Ctrl +] (optionally, followed quickly by [Ctrl -]) will cause the page to re-render and display correctly. It's an easy work around until the fix makes it into the official builds.

Re:Got it, but..

[ccady]

Instead of disallowing DoubleClick cookies, edit your hosts file to change the address for the DoubleClick sites. These are the relevant ones that I've got in my hosts file--YMMV.

127.0.0.1 doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ln.doubleclick.net

Re:That reminds me...

[innocent_white_lamb]

if the user can't be bothered to save in 30 seconds the document isn't that important.

30 whole seconds, eh? What if I'm writing the document and took a moment to walk across the room to the bookcase or filing cabinet to consult a reference of some kind? Or someone just walked in and asked me a question. Or the phone rang. Or...

30 whole seconds?