Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Posted For New IE Exploit

Posted by ryuzaki0 on from the not-quite-zero-day dept.

PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.

7 of 123 comments (clear)

  1. Wrong Link in Subject by Anonymous Coward · · Score: 5, Informative

    That's xsec.org not xsec.com

  2. September 13, not September 15 by Infosec+Geek · · Score: 2, Informative
    Since this was dated September 17, make that four days ago, not two.

    Check the date on the xsec.org page referred to, daxctle2.c. milw0rm 2358 was a re-publication of this, also posted up on 09/13/2006. Republication happened at other exploit advisory sites as well, such as the SecuriTeam(TM) site, where, for some strange reason, the exploit was published twice, redundantly.

    The formal vulnerability advisories SA21910 and FrSIRT/ADV-2006-3593, from Secunia and FrSIRT respectively, posted on 09/14/2006, confirmed and extended this, since both groups developed internal versions of daxctle2.c which were reliably effective in compromising fully patched instances of IE6.0 on WXPSP2.

    However, both these advisories made it clear that the root cause flaw was in the ActiveX component that was so successfully and famously attacked by HD Moore in July.

    Friday's MS advisory, Microsoft Security Advisory (925444), both clarified matters and proposed two workarounds that might be of more use than shutting down ActiveX or fervent prayer, namely:
    1. Disable just the DirectAnimation Path ActiveX Control in the Registry, or
    2. Modify the ACL of the actual file Daxctle.ocx to be more restrictive.
    Assuming, of course, that one considers it wise to use MSIE at all, given a choice. But PHBs from coast to coast have left many millions of cube inmates with exactly that: no choice.
  3. Re:Since /.'s already turned into bugtraq... by elronxenu · · Score: 3, Informative
    Perhaps because the first bug you mentioned was posted 4 months ago, you can resolve it by upgrading your kernel, and almost nobody would run an application chrooted under an SMBFS network filesystem anyway.

    The second bug is only a DOS, it won't give an attacker sweet r00t permissions. And it's also 4 months old news.

    The third bug doesn't result in any privilege escalation because the kextload program isn't setuid, you'd need to find some other vulnerability in a program which uses kextload.

    And the fourth bug is a month old already, hasn't been proven to be exploitable (more likely to simply crash firefox), and is easily resolved by upgrading firefox.

  4. Re:Semantics but.. by n0-0p · · Score: 2, Informative

    A 0-day refers to an undisclosed vulnerability; however, some people have stretched the definition to mean unpatched vulnerability. It's considered a stretch because an unpatched vulnerability is still known, so precautions can be taken. With a true 0-day vulnerability/exploit, you would have no knowledge of the issue and no way of protecting specifically against it.

  5. winpologists out in force by rs232 · · Score: 2, Informative

    Slashdot has done stories on bugs in Firefox. See ..

    Slashdot | 611 Defects, 71 Vulnerabilities Found In Firefox

    Firefox Analyzed for Bugs by Software

    Spyware Disguises Itself as Firefox Extension

    I'v also noticed how the same kind of comments from the Winpologists get modded up very quickly.

    was Re:Firefox 1.5.07?

    --
    davecb5620@gmail.com
  6. Since when is 0-day open to interpretation? by shaitand · · Score: 2, Informative

    Either they released the exploit code before the hole was patched or not.

  7. Re:"not a 0day exploit" by spinja · · Score: 2, Informative

    The reason I don't consider it "0day" is that a public tool exists that will discover this bug in its default configuration (AxMan). Anyone who took the time could run the tool, discover the bug, and write the exploit. The tool was released on August 1st and this particular bug was reported to Microsoft in late July. Since all of this information was *widely* publicized at the time of release ( a couple dozen articles on AxMan ), I have hard time considering any of the bugs it turns up "0day" in the normal sense. We need a new term, but "negative day" probably isn't it either. The remaining 3-4 easily exploitable bugs (of the ~100 or so that were never included in the Month of Browser Bugs) will likely stay unpublished until a patch is available.

    Its funny to see how releasing an exploit accelerates patch development. I have been waiting on the Spline and KeyFrame patches for over a month already, but it wasn't until the xsec guy rediscovered these that Microsoft decided to release a patch. Maybe there is something to this "full-disclosure" thing after all =)

    -HD