Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unpatched IE Flaw Extremely Critical

Posted by Zonk on from the get-the-lead-out dept.

Durinthal writes "The biggest blip on the security radar over the Thanksgiving holiday was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a DoS vulnerability also allows for execution of arbitrary code. The realization caused Secunia to issue a rare 'Extremely Critical' advisory."

24 of 277 comments (clear)

  1. Proof of Concept by Motherfucking+Shit · · Score: 5, Informative

    Here is a link to the Proof of Concept page, which will launch an instance of calc.exe if you're vulnerable. AVG Free caught the exploit in the cached page, but calc.exe ran anyway, even after I deleted the file.

    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    1. Re:Proof of Concept by Sawbones · · Score: 2, Informative

      Oddly enough it didn't work for me. IE 6 on a windows machine, it spawned a small dialog window and then a javascript "prompt" box with what I would assume was unicode characters. But after that it just sat there. not crashing nor using a tremendous amount of resources. I would assume that the exploit doesn't require a user to click buttons since the advisory mentioned "just visiting a webpage". So what "should have" happened?

      --

      Ad in classifieds: Pandora's Box (no box) $5
    2. Re:Proof of Concept by Pxtl · · Score: 3, Informative

      Hm. I get a "Script Prompt" window over a tiny IE window, with the name of your site in a textbox. A few seconds later (or when I touch it) it snaps and then I get the windows "close-details" app crash window.

      So it disturbs the browser, but it doesn't hack it for me.

    3. Re:Proof of Concept by TheSpoom · · Score: 4, Informative

      Slightly offtopic, but if you're wondering, NAV calls anything it considers suspicious enough to stop but doesn't have a name for yet "Bloodhound" because that's the component that detects buffer overflows and the like. Just something rather interesting I found when I was doing tech support.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    4. Re:Proof of Concept by TheSpoom · · Score: 2, Informative

      Proof of concept crashed (or at least, froze to the point of me having to kill the process) my Firefox, but did not open calc.exe. So technically, it could be used as a DoS attack on other browsers as well, though not nearly as badly as on IE.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    5. Re:Proof of Concept by PlusFiveTroll · · Score: 3, Informative

      Firefox didnt crash, if you waited long enough (like I did) it opens up a popup dialog full of ??????'s, you can then close the window. But it did take a full 3 minutes on a Athlon64 300+ with a gig of ram. calc.exe does not run.

    6. Re:Proof of Concept by Hrungnir · · Score: 2, Informative

      Odd, My Symantec Antivirus didn't catch it. launced calc and IE closed.

      Opera just opens another little window with nothing in it, doesn't open calc or show any odd behavior

    7. Re:Proof of Concept by jpop32 · · Score: 2, Informative

      So technically, it could be used as a DoS attack on other browsers as well, though not nearly as badly as on IE.

      Well, Opera just opened a small window which just sat there and did nothing. I closed it, and continued on my merry way. Score one for Opera. :-)

  2. Temp Fix by Manip · · Score: 4, Informative

    Turn on "Data Execution Protection" for all programs and services. Instead of allowing full execution it will limit it to a DOS (crack IE).

    Control Panel -> System -> Advanced [Tab] -> Performance Settings -> Data Execution Protection [Tab] -> Turn on DEP for all programs and services except those I select -> Ok -> OK.

    1. Re:Temp Fix by _Shorty-dammit · · Score: 3, Informative

      I believe DEP is on by default for IE anyways, so I'm not sure this is even necessary. I just tried the proof-of-concept test on my machine, and all it did was bring up some script prompt, didn't launch calc.exe as it should have. This is with the IE7 beta, btw.

    2. Re:Temp Fix by Ron+Bennett · · Score: 2, Informative

      Turned DEP on, shutdown/restarted, and still no good - the exploit (calculator comes up) still works :(

      Perhaps hardware based DEP would make a difference, but again, for folks relying on software-based DEP, it's not effective - the exploit still works anyways.

      Ron

  3. It affects Firefox, too. by Mitchell+Mebane · · Score: 5, Informative

    Although it's not as severe.

    https://bugzilla.mozilla.org/show_bug.cgi?id=31733 4

    --

    The roots of education are bitter, but the fruit is sweet.
    --Aristotle
  4. Re:Scummy eweek popup alert by BattleRat · · Score: 5, Informative

    The extention you are looking for is called NoScript. It works awesome.

  5. Re:Scummy eweek popup alert by HoosierPeschke · · Score: 3, Informative

    Try this NoScript. It's a whitelist so you can allow only certain sites to use javascript.

    --
    Mr. Universe: "They can't stop the signal, Mal. They can never stop the signal."
  6. McAfee Fails It by Orrin+Bloquy · · Score: 5, Informative

    On my W2K box, McAfee warns me of a threat, then as soon as I close the window, the code executes anyway.

    --
    "Made up/misattributed quote that makes me look smart. I am on /. and I must look smart."
  7. McAfee Catches it by borawjm · · Score: 2, Informative

    My virus scanner seemed to stop it on the proof of concept page. McAfee sees it as JS/Exploit-BO.gen

  8. Please stop accepting stories from Spammers by Billly+Gates · · Score: 2, Informative

    His name points to an url and he is trying to use slashdot to boast his google pagemark. Move the cursor over the name? His site pops right up.

      Just yesterday a famous spammer did the same thing and posted here. The slashdot editors should stop accepting such stories that are fabricated in order to boast his advertising revenue.

    --
    http://saveie6.com/
  9. Re:Am I the only one? by m50d · · Score: 2, Informative

    Anyone else could be doing it. The fact that they're nice enough to give you a link rather than just doing it suggests they're not out to get you.

    --
    I am trolling
  10. Simmer down by TubeSteak · · Score: 3, Informative

    The URL is http://www.ocremix.org/
    And here's the submitter's user page http://slashdot.org/~Durinthal

    I think you mistook the submitter for **Beatles-Beatles
    This Beatles guy is really getting out of hand.
    He manages to taint stories he isn't even submitting. ...or maybe /.'ers need to stop being so effing hyper sensitive about certain things.

    --
    [Fuck Beta]
    o0t!
  11. Re:Scummy eweek popup alert by NickFitz · · Score: 2, Informative

    IIRC, the JavaScript confirm() function returns three values -- true, false, or null, depending on whether you hit ok, cancel, or x.

    Unfortunately not. I can see that it would be useful to have, but a quick test shows that both Cancel and the Close button return false (on Windows 2000, IE 6 and Firefox 1.0.7). IIRC this is in line with the expected behaviour for such dialogs, although that may vary per operating system.

    Try it: type

    javascript:alert(confirm("blah"))

    in your browser location bar.

    For the paranoid/justifiably cautious: the "javascript:" causes the browser to pass the rest of the line to the JS interpreter, "alert(expr1)" pops up an alert (surprise!) containing the string value of expr1, and "confirm(expr2)" does the OK/Cancel box containing the string value of expr2. So first you get the OK/Cancel box, which returns a boolean value, which is then converted to a string, which is displayed in the alert box.

    --
    Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
  12. Re:Extremely Dupical by Anonymous Coward · · Score: 3, Informative

    OK, now I know Slashdot's biased, but posting this twice and not posting this at all?

    All your OS are belong to Sun!

  13. Re:Firefox vulnerable too by FooAtWFU · · Score: 2, Informative
    It doesn't crash firefox. It hangs Firefox because it's trying to display a prompt() wherein it must reflow zillions of interesting Unicode characters. Eventually it'll display.
    if you interrupt the busy state in a debugger we're busy in layout trying to
    display the prompt(). Usually in some form of Reflow(), sometimes in font
    stuff, sometimes in Bidi (nsBidiPresUtils::RemoveBidiContinuation?).
    The bugzilla title for this bug is 'hang when long wrappable string is passed to prompt()'.
    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  14. Re:Firefox v1.5 by m0i · · Score: 3, Informative

    This makes Slashdot exactly on the day Firefox v1.5 is supposed to be released. Apparently, Mozilla want to create a huge marketing campaign, better and larger than the one for v1.0. This is a perfect time to capitalize on this horrible security hole to promote Firefox.

    Hrm, did you notice that Firefox 1.5 is crashing as well on this exploit? It's not a security risk but a big annoyance nonetheless.

    --
    have you been defaced today?
  15. Actually... by Anonymous Coward · · Score: 1, Informative

    Yes it has. The vulnerability was found by me, Paul from Greyhats Security, and disclosed responsibly to Mozilla. However, a mistrusted individual leaked the vulnerability details, which quickly made their way to security websites. Secunia rated the flaw as Extremely Critical, but later dropped the rating to Highly Critical due to that fact that Mozilla changed their servers in order to render the proof of concept ineffective, even though the core vulnerability was still in the browser, and in theory could have been updated to work again.

    The bug details can be found either at Secunia or at my site. The URLs for the advisory are posted below.
    Secunia: http://secunia.com/advisories/15292/
    Greyhats Security: http://greyhatsecurity.org/firefox.htm

    Just wanted to clarify that for you :)