Slashdot Mirror
Extremely Critical IE6/SP2 Exploit Found
Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"
I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.
Pardon the technical terminology
With Safari 1.2.4 (v125.12), I get a "Safari cannot find the Internet plug-in." error dialog and then the beachball of death. Joy. Well, at least it's not opening the terminal.
> But one with proper security controls put in place like a good
> virus scanner/firewall/IE settings/anti spyware and creating a
> non-admin user for web browsing
Funny. I don't have any of those in place on my Linux, Amiga or OSX boxes and I'm not having any security problems.
I'm browsing the same internet as everyone else. I don't care to stop myself going to a sight because it might contain spyware either. Might be something else that's problematic for the rest of the world, like say... insecure Windows? Yeah that's the ticket!
although it requires a bit of messing around. IE - Tools - Options - Security.
select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.
select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.
This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.
Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.
Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.
Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.
Why not just put it into .hlp files like it used to be? I don't recall any security issues with those.
.hlp file parsing program. The vulnerability is forged from a decoding error within the .hlp header. A perpetrator can exploit the flaw by triggering a heap-based buffer overflow."p /11778_3452081
Not since December 27 2004, anyway...
"XFocus also reported a hole in winhlp32.exe, the Windows
http://www.esecurityplanet.com/patches/article.ph
"I've got more toys than Teruhisa Kitahara."
I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:
. html/
http://www.sophos.com/virusinfo/analyses/expphela
EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.
This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.
in the article up there...
a tion: C:\Documents and Settings\User\Local Settings\Temporary Internet
the link to
http://www.jmcardle.com/?postid=77
is a VERY BAD PUPPY. tried to crack my browser's head.
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Bloodhound.Exploit.21
File: C:\Documents and Settings\User\Local Settings\Temporary Internet
Files\Content.IE5\41AJW52F\jmcardle[1].htm
Loc
Files\Content.IE5\41AJW52F
Computer: MYPC
User: User
Action taken: Clean failed : Quarantine failed : Access denied
Date found: 9 ianuarie 2005 12:45:25
It opens an HTML Help document, then a command console that quickly closes (dunno what that did), then opens an IE page with this helpful document.
``Secondly, why in the HELL is anyone using HTML files for help documents?''
Why not HTML? Windows help is hypertext, and HTML is the standard for exactly that. I'm all the happier when people use standard formats rather than proprietary ones.
And for the record: HTML is completely secure. It's just data that gets rendered. Security holes are always either in the code that processes the HTML (which is a problem with that code, not with HTML) or in extensions (which is a problem with the extension and the program that uses the extension).
Please correct me if I got my facts wrong.
Probably because cmd.exe (and iexplore.exe) are found in C:/windows, and it needs the full path to lauch one in the first place.
One would assume that any vulerability that could run arbitary code would be able to delete files.
Not necessarily. If the arbitrary code is run in a restricted security context (e.g. Guest User, sandbox, restricted zone/role/capability) it shouldn't be able to delete files it has no acces to. The exploit would need to run a second exploit for privilege elevation.
Thankfully, in Internet Explorer's ActiveX security model none of all that is necessary, greatly speeding up the development of worms.
SCO employee? Check out the bounty
The JMCardle test does something similar, but calls this script instead, which just runs in Command Prompt
is to disable ActiveX
...this unpatched XP laptop is not vulernable to the exploit.
Guess it isn't as extremely critical as they say.
I am very small, utmostly microscopic.
I have McAfee virusscan 9.0 installed.
Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
But lo and behold, McAfee virusscan stopped working!
All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.
This is NOT a new vulnerability. This is an upgraded severity on a vulnerability that was reported almost 3 months ago:
...
From the article:
Secunia Advisory: SA12889 Print Advisory
Release Date: 2004-10-20
Last Update: 2005-01-07
Changelog:
2004-10-21: Updated advisory.
2004-10-28: Added another workaround in "Solution" section and linked to Microsoft Knowledge Base article.
2004-11-02: Updated with additional information in "Description" and "Solution" section.
2004-11-29: Updated "Description" section with additional information from Paul.
2004-12-23: Added link to US-CERT vulnerability note.
2004-12-25: Updated "Description" section with additional information from Paul and Michael Evanchik.
2005-01-07: Increased rating. Added link to test. Updated "Description" and "Solution" sections.
So they upped the severity rating and added another workaround. This isn't really news. You've been vulnerable to this for almost 3 months now.
Launches the new IE window using cmd /c iexplore.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
In case anyone missed this, it was reported to Microsoft on 2004-10-13.
Three months later, no sign of a patch.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
That's right, Microsoft "we take security very seriously" Corporation has known about this vulnerability for almost two months, yet they leaved it unpatched? Why?
I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton. Both of them drastically slow down a computer, and both of them miss viruses that TM finds regularly.
If you'd like to see it in action, go to Trendmicro.com/download and click on "Damage Cleanup Engine", download "sysclean", then go back and click on "Virus Pattern File" and download the latest (currently lpt335.zip). Unzip this into the same directory as sysclean and run it.
This solution won't stay in memory and scan everything that accesses your computer or HDD, but it will find viruses if you have any.
~Will
sig?
No, internet explorer belongs here:
\Program Files\Internet Explorer\Iexplore.exe
Sounds like youve got a virus
The test requires the C:\windows folder because it directs the Help display control(hhctrl.ocx) to a default help files stored within the windows folder:
"c:/windows/help/ntshared.chm"
Once this help object is loaded, it can be activated, and malicious code can be injected using a second instance.
Without a known help file location, the script is useless.
liqbase
I've decided to try Anti-Vir (free-av.com) for a while, I heard good comments from other people too about this one. At least it seems to work fine with thunderbird too.
But the main point of my original comment was that McAfee decided to use Internet Explorer itself, one of the main sources of leaks and infections, as part of their own anti-virus product!
This must be the result of someone having some serious brain damage over at McAfee's.
As you can read in my comment below about McAfee Virusscan 9.0, disabling activex in internet explorer breaks every settings and information panel of that virus scanner.
Great. A virus scanner that contains IE.
(I deinstalled McAfee an hour ago).
Only if your default is to not have SP2 installed. RTFA.
Since Microsoft recommended everyone upgrade to SP2, and since SP2 INTRODUCED the vulnerability, I'd say your system isn't "default", and most people, by default, are vulnerable.
"Linux zealots", indeed.
Kythe
The code for the web page is designed to specifically target Windows XP SP2. The code modification required to make it target multiple versions of Windows is trivial.
AVG Personal Edition
DJ kRYPT's Free MP3s!