Slashdot Mirror
Code Posted For New IE Exploit
PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch."
Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.
That's xsec.org not xsec.com
Check the date on the xsec.org page referred to, daxctle2.c. milw0rm 2358 was a re-publication of this, also posted up on 09/13/2006. Republication happened at other exploit advisory sites as well, such as the SecuriTeam(TM) site, where, for some strange reason, the exploit was published twice, redundantly.
The formal vulnerability advisories SA21910 and FrSIRT/ADV-2006-3593, from Secunia and FrSIRT respectively, posted on 09/14/2006, confirmed and extended this, since both groups developed internal versions of daxctle2.c which were reliably effective in compromising fully patched instances of IE6.0 on WXPSP2.
However, both these advisories made it clear that the root cause flaw was in the ActiveX component that was so successfully and famously attacked by HD Moore in July.
Friday's MS advisory, Microsoft Security Advisory (925444), both clarified matters and proposed two workarounds that might be of more use than shutting down ActiveX or fervent prayer, namely:
- Disable just the DirectAnimation Path ActiveX Control in the Registry, or
- Modify the ACL of the actual file Daxctle.ocx to be more restrictive.
Assuming, of course, that one considers it wise to use MSIE at all, given a choice. But PHBs from coast to coast have left many millions of cube inmates with exactly that: no choice.The second bug is only a DOS, it won't give an attacker sweet r00t permissions. And it's also 4 months old news.
The third bug doesn't result in any privilege escalation because the kextload program isn't setuid, you'd need to find some other vulnerability in a program which uses kextload.
And the fourth bug is a month old already, hasn't been proven to be exploitable (more likely to simply crash firefox), and is easily resolved by upgrading firefox.
A 0-day refers to an undisclosed vulnerability; however, some people have stretched the definition to mean unpatched vulnerability. It's considered a stretch because an unpatched vulnerability is still known, so precautions can be taken. With a true 0-day vulnerability/exploit, you would have no knowledge of the issue and no way of protecting specifically against it.
Slashdot has done stories on bugs in Firefox. See ..
Slashdot | 611 Defects, 71 Vulnerabilities Found In Firefox
Firefox Analyzed for Bugs by Software
Spyware Disguises Itself as Firefox Extension
I'v also noticed how the same kind of comments from the Winpologists get modded up very quickly.
was Re:Firefox 1.5.07?
davecb5620@gmail.com
Either they released the exploit code before the hole was patched or not.
Switch to Linux and watch all my applications which I need to do my job fail. Yes, that sounds like a plan. For the record I'm a .NET developer who needs Visual Studio and SQL Server to do my work.
You may find it hard to believe but Windows is a pretty damn secure OS, given that the one using it knows what he's doing. I'm not using MSIE, I'm not using Windows Media Player. And I have yet to have my machine BSOD, get infected with spyware/virus nor have to reinstall it periodically because it's unresponsive. My system is working excellently and does what I want it to do, and does it better than any Linux setup I can come up with.
Making people believe they are "secure" only by switching to another OS is stupid at best. If people don't know how their systems work, you can be sure as hell they wont be able to secure it. There is no system that is more secure than it's admin is competent.
Fine, you use Linux, it works for you. Congratulations on that! But branding it as a universal solution is just stupid.
Not Buzzword 2.0 compliant. Please speak english.
RTFM.
IE cant be removed.
IE is not only used for web browsing purposes, but started and used for and by quite a many applications.
How's the Windows Update doing without IE ?
The reason I don't consider it "0day" is that a public tool exists that will discover this bug in its default configuration (AxMan). Anyone who took the time could run the tool, discover the bug, and write the exploit. The tool was released on August 1st and this particular bug was reported to Microsoft in late July. Since all of this information was *widely* publicized at the time of release ( a couple dozen articles on AxMan ), I have hard time considering any of the bugs it turns up "0day" in the normal sense. We need a new term, but "negative day" probably isn't it either. The remaining 3-4 easily exploitable bugs (of the ~100 or so that were never included in the Month of Browser Bugs) will likely stay unpublished until a patch is available.
Its funny to see how releasing an exploit accelerates patch development. I have been waiting on the Spline and KeyFrame patches for over a month already, but it wasn't until the xsec guy rediscovered these that Microsoft decided to release a patch. Maybe there is something to this "full-disclosure" thing after all =)
-HD