Zero-Day Team Launches with Emergency IE Patch

Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."

Microsoft would have fixed this in 3 days

[Rik+Sweeney]

but it didn't have anything to do with DRM

Spyware Thursday

[Yahma]

So we now have Patch Tuesday, Exploit Wednesday, and now what? Spyware Thursday..?

The majority of exploits could be stopped if Windows users switched to Firefox. However, getting Joe User to switch from IE to firefox is difficult, especially when he percieves no problems with IE. The majority of exploits in the wild today hide themselves from the user, and turn their machine into a Zombie node without their knowledge. Because Joe User doesnt know anything is wrong with his computer, he keeps using his unpatched IE and helps spread the exploit even further.

Yahma

Try http://www.blastproxy.com/ for a fast, free and anonymous proxy to bypass firewalls at work & school
Try http://www.mortgagetricks.info/ for free tips, tricks and advice on how to get a low mortgage rate.

Re:Spyware Thursday

[iPodUser]

In my experience, it is not hard to convince "Joe User" to switch browsers. All I have to do is say: "ooh look tabbed browsing." If that fails, use "ooh look! Themes!" and they capitulate.
However, you correctly identified what the real problem is: Uneducated users. Once someone gives them a good talking to, they usually see the light. It's just hard (impossible) to reach all of the uninitiated noobs out there.

Re:Spyware Thursday

[tacocat]

Never seen that happen. They don't want the "good talking to". They just want their stuff to work the way they are used to seeing it.

Changing from MSIE to Firefox means you have to re-learn how to navigate around the browser. My wife went from Linux/Firefox to Apple/Safari and after a month she's bothered to figure out how to save bookmarks. She doesn't care about tabbed browsing settings or anything else. I think she's fairly typical in that she uses

I cite this as one example of many.

Not everyone is in love with their computer.

The conversion of my family hasn't been because of a good talking to. It's been because I simply won't allow a Windows machine in the house. They've learned how to use Linux and Apple nicely enough and in some cases prefer to do their school work on Linux/Apple.

Re:Spyware Thursday

[mysticgoat]

There is no superior technology or anything that would help to make Firefox inherently more secure.

Uh, not quite.

MSIE was rewritten in the mid 1990s so that core modules became an integral part of the Windows OS. It is generally recognized that maintaining a wall between OS and app is good engineering, partly because it avoids many difficult security issues. This is especially true when the application is an interface to the outside world that by nature cannot be secured, like a browser. MS in its wisdom determined that the immediate courtroom benefits of knocking that wall down outweighed the security and maintenance concerns. This was a central part of their defense strategy against lawsuits brought by Netscape and others.

So yes, Firefox's implementation of the available technology is inherently more secure. Firefox preserves the wall between itself and the OS, and is not a superhighway into the core of the OS, the way today's MSIE is.

time better spent elsewhere

Their time would be better spent on improving Free Software instead of trying to plug holes of closed-source software. Microsoft does not appreciate help like this.

Who didn't see this coming

[George+Beech]

I mean really, it just seems logical if they are only going to patch once a month, then the bad guys will go after every hole that wasn't patched the day after updates are released.

I'm just amazed that it took this long for it to become big news that this kind of thing is going on.

Re:An even simpler solution

[robpoe]

Wish that were the case ..

I manage several networks .. and on those networks we tried limited rollouts of Firefox ..

1. Proxy settings. All the users at one site HAVE to go through a proxy server. It's a transparent server, but offers us logging (required by law) and it helps with the overloaded internet connection Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code. IE? Easy, shove a .reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.

2. IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down.

Alternative: Unregister vgx.dll

[Noksagt]

The latest Security Now! episode had information on this exploit. Those who have policies in which they can't install third party patches do have an alternative:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

When MS comes out with a patch,

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

will re-register it.

Poor Stew.

[twitter]

Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."

Very noble of him to volunteer, but we all know what happens in the movies to the character who mistakenly sacrifices themselves to defend the bad guy. At this moment, chairs are flying and the heavy weights at M$ are screaming things like, "This guy is making us look bad! Steve smash!" A much cooler arch villain grins a maniacally at his underling and contemplates co-opting as much of the work as possible before dropping both of them into a pool of red hot magma.

What will the real world fate be for poor Stew? DMCA suit? C&D for trade secret or patent infringement? Who knows! But none of it will really make windoze a place that's safe for your work.

Re:Poor Stew.

[uufnord]

I want to point this out:

Other volunteers involved with the ZERT initiative include
* Halvar Flake, CEO and head of research at Sabre Security;
* Ilfak Guilfanov, author of the IDA Pro binary analysis tool;
* Paul Vixie, founder of the ISC (Internet Software Consortium);
* Roger Thompson, chief technology officer of Exploit Prevention Labs;
* Florian Weimer, a German computer expert specializing in Linux and DNS (Domain Name System) security..

These guys are top-notch. I can't give enough praise to show my support for what they're doing. When all the government bullshit artists were finger pointing, when all the CERTs of the world were waiting for a vendor fix, when Microsoft was sitting on it's hands doing nothing, these guys were working hard to build useful tools. Hackers and crackers on both sides of the fence have benefitted from the work these guys have done. If you don't know who these guys are, google them, because they're all good people, hard workers, and brilliant minds.

... except for Roger Thompson.

One word: AdBlock.

[Kadin2048]

I've also found a "killer feature" to be AdBlock.

Okay, so it's not really a 'feature' of Firefox per se. But it's one of those things that even relatively ignorant users can grasp and realize the value of, and once you start using, there's really no going back. And it's so easy to install on FF, you can kind of sell it as a package deal.

Set your mom/dad/grandmother/coworker up with Firefox+AdBlock+Filterset.G, and between the tabs and the lack of advertising, you'll probably have gotten a convert for life.

The only problem is that in many cases it's not quite practical to throw away IE completely; there are too many online banks and other systems which count on it's braindead idiosyncrasies.

Re:An even simpler solution

[Daemonstar]

Comments: 1) Make all outbound port 80 requests be routed via the transparent proxy; there shouldn't be any settings in each workstation's browser. This forces everything through the proxy, no matter what. Add other ports (i.e. 8080, etc.) as appropriate. 2) If Firefox doesn't work with some sites, then install the IE View and IE Tab extensions. You can change the rendering engine for the page in Firefox. Yes, it does use IE, but, that way, your users can view most sites in Firefox without switching applications (99% of the time, anyway). You will still have to keep IE patched.

Re:An even simpler solution

[savala]

No way to disable the menu, without going in and re-writing the XUL code. IE? Easy, shove a .reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.

If the .reg file is an adequate solution for IE, then a userChrome.css file that simply sets the relevant preference panel to display: none, and a user.js file to reset the proxy settings at each startup (in case the user knows how to find about:config) should be equally adequate.

Just went to look it up. They of course didn't bother to tag the groupbox with an id ("grandmothers don't need easily modifiable chrome!" - meh, give me SeaMonkey any day of the week), but you can hide the "connection settings" button with the following rule: #catProxiesButton { display: none !important; }

The patch can be downloaded.....

[8127972]

.... from any of the following links:

www.getfirefox.com
www.opera.com

Re:An even simpler solution

[Phroggy]

1. Proxy settings. All the users at one site HAVE to go through a proxy server. It's a transparent server, but...

What you're describing is not a transparent proxy server. It's just a normal proxy server, that has to be configured in the browser. A transparent proxy server is where your firewall hijacks all outbound traffic on port 80 and reroutes it to the proxy server's IP without the browser knowing about it. This would solve your problem.

Another option you may want to look into (it won't help with the issue of users being able to turn it off, but it might make configuration easier) is Web Proxy Automatic Detection (WPAD). Start by making a Proxy Automatic Configuration (PAC) file, which is just a bit of JavaScript code that tells the browser what proxy server to use. For example:

function FindProxyForURL(url, host) { // Don't use a proxy when connecting to local servers
    if(isInNet(host, "192.168.1.0", "255.255.255.0")) return "DIRECT";
    return "PROXY proxyserver.example.com:3128";
}

Put this file on an internal web server. Name the file "wpad.dat", and configure the server to give the MIME type as application/x-ns-proxy-autoconfig, for example:

<Files wpad.dat>
                ForceType application/x-ns-proxy-autoconfig
</Files>

Now, configure your internal DNS server to add a host "wpad" at whatever domain you're using internally to point to your web server, so that http://wpad/wpad.dat will return the PAC file you've created.

Finally, to cover all the bases, make it explicit in your DHCP server. Set this global option in dhcpd.conf:

option wpad code 252 = text;

Then add this within your subnet declaration:

option wpad "http://wpad/wpad.dat\n";

Internet Explorer breaks without the trailing \n. I'm not sure if it has to be \n, or if some other character would work better, but this seems to work just fine.

Sounds complicated! But just remember, you only have to do this once. Internet Explorer and Firefox will both respect it automatically, out of the box, with no client-side configuration at all. One caveat: Mac OS X does not currently support WPAD; I'm hoping Apple fixes this in 10.5 "Leopard" next spring, but I haven't seen anything official about it. In the mean time, Mac clients have to set the URL of the PAC file manually. WPAD works in Firefox on Mac, but see bug 327381 if you're running it on a laptop (I don't know if that bug applies to Windows as well).

Re:An even simpler solution

[Shawn+is+an+Asshole]

Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code.

It's actually pretty easy to disable anything in Firefox/Mozilla.

1. Open Firefox and set the options you want to preconfigure/lock such as the proxy settings.

2. Look in Firefox's config directory for a file called "prefs.js". Under Linux this is in "~/.mozilla/*.default/". Under Windows, this is in "Application Settings\Mozilla\*.default\". On OS X it's in "Library/Mozilla/Firefox/*.default/".

3. Copy the file to lock.js and open it in a text editor.

4. Leave the first line as is (the # line). For any option you want to lock, set "user_pref" to "lockPref". For example:


# this line is required. don't remove
lockPref("network.proxy.ftp", "proxy.somemachine.org");
lockPref("network.proxy.ftp_port", 3128);
lockPref("network.proxy.http", "proxy.somemachine.org");
lockPref("network.proxy.http_port", 3128);
lockPref("network.proxy.ssl", "proxy.somemachine.org");
lockPref("network.proxy.ssl_port", 3128);


5. Download moz-byteshift.pl and run it like this:


moz-byteshift.pl -s13 < lock.js > mozilla.cfg


6. Copy the mozilla.cfg file to the root of the Firefox install directory. This is "/usr/lib/firefox/" on most Linux distros, and "c:\windows\Program Files\Mozilla Firefox\" on Windows. On OS X it's in the "Firefox.app" directory.

7. Inside of the Firefox install directory, open the file "greprefs/all.js" and add this line to thee bottom:


pref("general.config.filename", "mozilla.cfg");


The user can no longer change the proxy settings, or any other setting you choose to lock.

This works everywhere and options are identical across platforms (except when they include file paths). The only place I haven't had it work is Ubuntu, which apparently does something to break the feature. The method they provide to provide the functionality does not appear to work (I spent a few days googling and trying everything before just disabling the built-in and installing the official build).

Deploying is easy. All you have to do is copy the greprefs/all.js and mozilla.cfg files to the clients. With WPKG this is trivial. Just make sure only the administrator can write to all.js and mozilla.cfg, also make sure that all users can read the file.

Here, I'll even help you out with WPKG. Just save "mozilla.cfg" and "greprefs/all.js" as a self-extracting file with 7-Zip:


<?xml version="1.0" encoding="UTF-8"?>
<packages>
<package id="firefox_restrictions" name="Firefox restrictions" revision="20060922" reboot="false" priority="1">
<depends package-id="firefox" />
<check type="file" condition="exists" path="%PROGRAMFILES%\mozilla.cfg" />
<install cmd='%SOFTWARE%\firefox_restrictions\firefox_restr ictions.exe -o"%PROGRAMFILES%\Mozilla Firefox\" -y' />
</package>
</packages>


Any time you need to push new updates out, just change the revision to the current date.