Slashdot Mirror
Code Posted For New IE Exploit
PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch."
Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.
That's xsec.org not xsec.com
Another ActiveX exploit. *yawn*
If you want to be safe in IE, turn off ActiveX from untrusted sites. Hasn't this been known since day one?
News would be if ActiveX was tested and found to be safe.
Have you read my journal today?
why not post these:
Linux Kernel SMBFS CHRoot Security Restriction Bypass
Linux Kernel SCTP Multiple Remote Denial of Service
Apple Mac OS X KExtLoad Format String Weakness
Mozilla Firefox JavaScript Handler Race Condition Memory Corruption Vulnerability
Check the date on the xsec.org page referred to, daxctle2.c. milw0rm 2358 was a re-publication of this, also posted up on 09/13/2006. Republication happened at other exploit advisory sites as well, such as the SecuriTeam(TM) site, where, for some strange reason, the exploit was published twice, redundantly.
The formal vulnerability advisories SA21910 and FrSIRT/ADV-2006-3593, from Secunia and FrSIRT respectively, posted on 09/14/2006, confirmed and extended this, since both groups developed internal versions of daxctle2.c which were reliably effective in compromising fully patched instances of IE6.0 on WXPSP2.
However, both these advisories made it clear that the root cause flaw was in the ActiveX component that was so successfully and famously attacked by HD Moore in July.
Friday's MS advisory, Microsoft Security Advisory (925444), both clarified matters and proposed two workarounds that might be of more use than shutting down ActiveX or fervent prayer, namely:
- Disable just the DirectAnimation Path ActiveX Control in the Registry, or
- Modify the ACL of the actual file Daxctle.ocx to be more restrictive.
Assuming, of course, that one considers it wise to use MSIE at all, given a choice. But PHBs from coast to coast have left many millions of cube inmates with exactly that: no choice.OK, I'll answer the question. About 75% of web users still use IE.
If you are a sys admin, or a web admin, Deal.
The more you regulate a company, the worse its products become.
Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit?
Key word: fixing. As far as I can tell, this security hole is currently unpatched.
The reason it's not a 0day exploit is because some other dude already discovered the vulnerability, but didn't disclose it to the public? And that second guy is sitting on another 3 or 4 vulnerabilities?
I'm sorry, what's the definition of 0day exploit these days? If not exploit code for which there is no patch available, then what?
Can we now use "responsible disclosure" to argue away the fact that actual computer systems are at risk of being exploited right here and now, by saying "yeah, well, you got rooted and all, but we knew about that bug, so it doesn't count, even though we don't have a patch yet."?
Can we now take comments that the programmers left in the code ("// does this work?" "/* coded while druk */" "//BUGBUG") as an excuse to completely ignore actual vulnerabilities?
And hey, if TWO researches come up with this vulnerability seemingly independently, what are the chances of the exploit already circulating in the black hat community? Close to 100%?
By my definition you've got your negative-day and your zero-day exploits. Negative-day exploits; no patch yet. Zero-day; the patch has just been issued, so might as well give your exploit to scriptkiddies and botnet operators to use on the systems that don't patch early/often enough. Obviously, a negative-day exploit usually isn't going to be used on a large scale, because your average blackhatter wants to keep it in his toolkit to attack well-patched systems; after all, it's what gives him (and his leet skillz) an edge. Once patchday arrives, you might as well give it to some noobs, because they might be interested in unpatched targets, while a leet blackhatter is not.
So no, it's not a "stretch" to call it 0day. It's negative day, even.
SCO employee? Check out the bounty
Propably because there is code in the wild for this exploit and bug itself is still unfixed?
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
This does not affect IE7:6 .aspx
;-))
http://blogs.msdn.com/ie/archive/2006/09/15/75673
(Just for edification.
-- "I never gave these stories much credence." - HAL 9000
A 0-day refers to an undisclosed vulnerability; however, some people have stretched the definition to mean unpatched vulnerability. It's considered a stretch because an unpatched vulnerability is still known, so precautions can be taken. With a true 0-day vulnerability/exploit, you would have no knowledge of the issue and no way of protecting specifically against it.
Slashdot has done stories on bugs in Firefox. See ..
Slashdot | 611 Defects, 71 Vulnerabilities Found In Firefox
Firefox Analyzed for Bugs by Software
Spyware Disguises Itself as Firefox Extension
I'v also noticed how the same kind of comments from the Winpologists get modded up very quickly.
was Re:Firefox 1.5.07?
davecb5620@gmail.com
OK, smarty, I will explain the difference to you. On one hand we have Firefox, which is a piece of software that is free in both senses, and you can use it, or not use it, or delete from your system, or whatever you want. On the other hand we have Internet Explorer, which is forced upon you via "leveraging," you cannot remove, and you must use because of contrived tie-ins to fundamental system functions.
If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it. Hell, there are plenty of applications and services that will gleefully launch IE of their own accord and start loading internets from God knows where, and there's no way for me to stop it. Because of Microsoft's predatory practices, I have no choice in the matter (except to abandon Windows altogether, which is also not an option -- see how all my choices have been removed?). You're damn right people are a lot more upset when exploits turn up in IE. We are required to suffer the fallout from them.
Our intelligent designer has never created an animal that we couldn't improve by strapping a bomb to it.
Huh? If you don't have any specific reason to trust it, it's untrusted. I would have thunk that's Internet 101.
In capitalist America, your computer can have 'safe sex' by using the Firefox condom and taking the 'NoScript' pill.
Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild
what ever happened to exploits ( be it virus, trojan, whatever ) that cased some REAL damage?
All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something.
---- Booth was a patriot ----
Your link points out that IE7 is vulnerable but it will prompt you to run the ActiveX control before hosing your system. From the average user's point of view, they get a message asking to run something created and signed by Microsoft for the page to load. Tell me how many average users, even the relatively computer saavy, will allow the control to run?
Throwing a constant barrage of OS/browser security pop-ups on the screen does not make it secure. Making it so that at exploitable control can be completely removed and not just "effectively removed" from the system helps make the system more secure but this is just a workaround. If the control was designed to be able to grant system level privileges to a web page than it's time to go back to the proverbial drawing board.
If it wasn't designed that way, then patch it when you first hear about it over a month ago and stop complaining about people releasing it to the public. I would rather have everyone know about it than have just Microsoft, a few security people, and several black hats knowing.
Either they released the exploit code before the hole was patched or not.
If you look at Firefox security bugs and IE security bugs, you'll see that there are more Firefox bugs than MSIE bugs in the exploit lists. There is, however, a big difference.
When Microsoft finds a security hole themselves, they don't tell anyone, and they don't release a patch. They fix it in the tree for the next release of the OS. The only time they release a patch is when someone else finds the bug. The reason they do this is because if they release a patch, people will "bindiff" it against the previous version and find what is changed so that they can make exploits to use against unpatched users. You can't realistically "bindiff" XP vs. Vista, so they can obscure their security updates inside Vista.
Firefox instead will issue patches no matter who finds them. This is why Firefox appears to have more bugs - you always see them get fixed.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Or whatever they are called.
Why do people use IE? Mostly because of Intranet sites which server up IE only content and work badly or not-at-all with other browsers. How 'bout an IE plugin which opens only Intranet/trusted sites in IE and opens all else in an external safe browser? Or is this unlikely to be useful?
All bow to his Noodliness!! His Noodle Appendage has touched me!