Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of New Video ActiveX Vulnerability

Posted by Soulskill on from the like-one-of-those-pothole-signs dept.

ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."

29 of 146 comments (clear)

  1. Isolate! by sopssa · · Score: 3, Interesting

    Once again the problem here is too tight integration with other part's of the OS. Yeah, IE is the most used browser and as such a major target for exploits, but some separation from other parts of OS wouldn't do any harm. Or atleast make it optional to use such; You won't be automatically affected by Flash or PDF exploits if you choosed not to install those. Just another reason to use alternate browsers like Opera or Firefox, seeing it only affects IE users.

    That being said, you dont need admin priviledges for some malware to do its job, botnets and such easily run within user priviledges aswell. Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it.

    The fun thing is, there always seem to come exploits for IE and Firefox. Very rarely for Opera. That makes me think they've made some good fundamental decisions on design and programming and know how to secure code from exploits, specially because they have major marketshare (better than IE actually) in CIS countries like Russia and Ukraine and you would be thinking the local hackers would be trying to break it apart and exploit every possible thing on it. Hats off to them, really.

    With these ages, isolating browser from the OS and even virtualizing it in its own environment that's cleaned when browser is closed starts to be a must, and I dont really see why they aren't doing it already. It would save people from so many trouble, and wouldn't affect performance at all.

    1. Re:Isolate! by Anonymous Coward · · Score: 5, Interesting

      Internet Explorer 7.0 and 8.0 already do this in Vista. By default it runs in a double sandbox where even if the current user has admin privileges the process runs as a standard user that is further constrained to only be able to read certain parts of the file system but not write. Anything beyond that requires negotiation via a specific broker process just to attain a level of security equal to that of a standard constrained user.

      These types of vulnerabilities affect all browsers. ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera. It is simply an object model for loading native plug-ins into the process. That plug-in runs in-process with the same rights and privileges as the hosting process. If there is a vulnerability in a PDF plug-in on Linux then it can be exploited through Firefox and there is nothing Firefox or Opera can do to prevent it and it would likely affect all browsers equally.

      I agree that the answer appears to be to isolate and constrain. That is what Microsoft has done and Google is following suit. That is why this vulnerability does not affect Vista or Windows Server 2008, or rather an exploit for the vulnerability is neutered by the fact that once it has broken in it cannot do anything malicious.

    2. Re:Isolate! by lorenlal · · Score: 3, Insightful

      You have to take a look at your market to distribute your virus too. Sure, Opera might have more market share in Russia and the Ukraine, but it's still tiny overall.

      By attacking IE only, you get 65%, include Firefox, and you're staring at 87% of the browsers in total use. You could target certain countries if you wanted to, but for most malware writers it's pure numbers, and it doesn't matter where they come from. I don't know if Opera is designed/written any better... but I can reasonably assume that it's not being targeted as intensely as IE/FF. I'm not taking my hat off to them until they lock down enough worldwide market share to become worthy of being targeted.

      I totally agree that the browser shouldn't be so integrated with the operating system. As a rule, we all know that you don't put yourself out on the public internet... Why have a utility that's part of the OS reach out and grab stuff from there? But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.

    3. Re:Isolate! by abigsmurf · · Score: 2, Informative

      I'm getting as many virus alerts through Firefox now as I used to get through IE before I switched, most of them seem to be flash and pdf exploits but I've had a few occur that don't appear to be either. Yes you could potentially make Firefox safer with noscript etc. but frankly that makes for an incredibly sucky web experience (and you could turn of scripting, flash and activeX in IE too with similar results). The rise in Firefox targeted (or partially targeted) exploits, in my personal experience, has risen almost in direct proportion to the browser's popularity.

    4. Re:Isolate! by Opportunist · · Score: 3, Insightful

      Isolation only helps so much. Given that a lot of interesting malware targets (online banking, paypal, amazon, ebay...) are used exactly with the same browsers that would execute the malware, containing it to the browser doesn't really help a lot. You'd have to disallow the browser to make changes to itself. And, while sensible, this would not be very popular with a lot of people who want to "click and install".

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Isolate! by lxs · · Score: 2, Funny

      I don't know, but I bet that the Phantom wouldn't like it.

    6. Re:Isolate! by lorenlal · · Score: 2, Insightful

      However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser...

      Have you spent a lot of time managing virtual applications? If so, you already know that managing the virtualized application is not trivial. Especially if you have plugins. Adding a plugin (currently) requires reworking the virtual application's package. This has been due to change for years, but I haven't witnessed this in practice yet.

      Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to save all the temp data, cookies and such which would be even more restricted and hence could be sustained thru different browser sessions too.

      Of course, as it stands right now, we have a few browsers that support private browsing. That does prevent much of the data picked up from getting saved. I don't know what it's impact is with malware, but I'd guess it doesn't hurt. Also, what you're suggesting would require a major effort on the part of browser makers. I don't think that the vast majority of users could go and add plugins manually to their virtual browser. I'm not saying that it's impossible thought.

      I agree with your original post that it's not necessary to have a "tightly integrated" browser. If it weren't for this integration, you could reduce the need to virtualize in the first place.

  2. Oh well. by A.+B3ttik · · Score: 3, Funny

    affecting IE users on XP

    Good thing none of them read Slashdot.

    1. Re:Oh well. by that+IT+girl · · Score: 2, Informative

      Ugh, this is the case for--get this--our HR and payroll website.
      iemployee.com
      IE only.
      Yes, I AM afraid.

      --
      10 FILL MUG WITH COFFEE
      20 DRINK COFFEE
      30 GOTO 10
  3. Re:Fixes by dwieeb · · Score: 2, Informative

    Yeah, but only in Europe will IE not be bundled with Windows 7.

  4. better workaround by DanWS6 · · Score: 5, Funny

    http://www.mozilla.com/en-US/firefox/

    1. Re:better workaround by L4t3r4lu5 · · Score: 2, Informative

      Supplemental: http://noscript.net/ and http://www.sandboxie.com/

      --
      Finally had enough. Come see us over at https://soylentnews.org/
  5. Not privately reported by Anonymous Coward · · Score: 3, Informative

    Securityfocus has more details, including the secret identity of the 'private reporter'

    1. Re:Not privately reported by Otto · · Score: 2, Interesting

      And exploit code: http://downloads.securityfocus.com/vulnerabilities/exploits/35558.rb

      Basically, it's exploiting a buffer overflow in the MSVidCtl ActiveX control. It has it load a malformed GIF which causes a buffer overflow somewhere, which then loads in shellcode.

      Not much to it, really. You could make this into a static exploit if you so desired and pop it on any webpage you liked.

      --
      - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  6. But... by goobermaster · · Score: 2, Funny

    But BonziBuddy told me that ActiveX was working perfectly! How can a purple monkey that helps me to remember all my credit card numbers lie???

  7. Hi, I'm a mac by Em+Emalb · · Score: 2, Funny

    I have nothing further to say, I just wanna stand here in my black turtle-neck with my cup of coffee looking smug. /typed on my MBP, so simma-down now fan boys... ;-P

    Seriously, this exploit sucks. I've gotta patch a butt-load of computers today now. Thanks a lot MS. Anyone know if the MSI file has a silent install option? Or can it be done via GPO?

    I just walked in, this smacked me right in the face this am. Damnit.

    --
    Sent from your iPad.
    1. Re:Hi, I'm a mac by Em+Emalb · · Score: 2, Informative

      It can. Made the change to our GPOs, and it's rolling out now. Having an issue with terminal server users, the installer is trying to install for every user that accesses the box (as intended, I guess) but none of our users have admin rights so it's bombing out....that's a simple fix though, just exclude any terminal server you might have and patch it manually.

      So, to answer my own question, yeah, it's easy to script it.

      --
      Sent from your iPad.
  8. couldn't microsoft by circletimessquare · · Score: 4, Funny

    just warn us when they have found no exploits at all?

    meanwhile, we would just assume the default status is that everything is exploitable

    it would cut down on the announcements by an order of magnitude

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:couldn't microsoft by VGPowerlord · · Score: 2, Insightful

      couldn't microsoft just warn us when they have found no exploits at all?

      In theory, they already do this on the second Tuesday of every month.

      However... has there ever been a Microsoft patch Tuesday that hasn't had any patches? I'm going to tentatively say "No"...

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  9. Re:Fixes by mcgrew · · Score: 2, Informative

    here is the fix and no, it isn't "downgrading to Vista." It disables the vulnerable parts of the OS/IE.

    --
    Free Martian Whores!
  10. Hmm... by that+IT+girl · · Score: 2, Interesting

    Does bring one question to my mind, though. In our office we have been told not to upgrade to IE7, though a few people "accidentally" did anyway. On their machines, even if they use Firefox, the security/Internet settings that IE7 made carry over to Firefox and affect it. One example is a certain java applet we have to access here that wouldn't even work in FF after my coworker upgraded. I had to go in and change settings in IE for it to work in either browser. I didn't upgrade and I'll admit my knowledge is a bit fuzzy in this area, so I haven't really looked into this too much, but... If a vulnerability can use IE to get into the OS, couldn't it do so even if you haven't opened IE yourself?

    --
    10 FILL MUG WITH COFFEE
    20 DRINK COFFEE
    30 GOTO 10
    1. Re:Hmm... by magamiako1 · · Score: 2, Insightful

      No. There would have to be some sort of vulnerability existing in the system to launch code, to then launch IE, to then exploit IE.......yeah....you can see the logic in that.

      No, if IE is not running or being used, the exploit would not affect the system.

      That said, this vulnerability does not affect Vista or Windows 7, or IE7/8 on those systems.

      Really--people should upgrade. And furthermore, people should not disable UAC.

  11. Active X... by TriZz · · Score: 2, Funny

    ...will soon be added to the Thesaurus as a synonym of "Vulnerability".

    --
    No matter how hot a girl is - some guy somewhere is sick of her shit.
  12. There is a difference - attack surface by WD · · Score: 4, Informative

    It is true that an ActiveX and NSAPI plug-ins are both native code and can have the same risks. But the big difference is attack surface. Code needs to very explicitly be written as a NSAPI plug-in. However, most Windows components are by default a COM object, and perhaps controlable by Internet Explorer if the developer so chooses (traditionally referred to as an ActiveX control).

    So a typical Firefox installation may have a half dozen or so plugins available, and they may have vulnerabilities. But a typical IE installation has literally thousands of COM objects at its disposal (A bare Windows XP installation has over 2500 COM objects). And those objects may have vulnerabilities as well.

    So play the numbers. IE's close integration with the OS means that it has a larger attack surface. While isolation and privilege separation is a good idea, the actual reason that Vista and 2008 are unaffected are *not* because of low-rights IE. IE on those platforms treats the ActiveX interaction required by the exploit as "unsafe" and is blocked. (Rather than allowing the exploit to occur but "neutering" it by giving it low rights).

    1. Re:There is a difference - attack surface by TheRealMindChild · · Score: 2, Informative

      An "ActiveX control" is a COM object with a certain group of interfaces... all COM objects are not ActiveX controls.

      The vulnerability here comes from, NOT necessarily the oodles of known COM libraries on every Windows system. It isn't REALLY about the fact that you can CreateObject("COMObject.OfMyChoice") on these already known objects... it's all that wrapped together with a COM object that has a .ExecuteMyCode() type method.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  13. Re:Isolate! HA! by plague3106 · · Score: 3, Insightful

    Another reason to not use ActiveX and NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE.

    Um, what? This has nothing to do with the kernel.

    This is another reason NOT to use Vista.

    How so? Vista is secure from this, its XP thats vunerable.

    Where are my mod points?
    It seems they got lost about a month or so ago and never came back.

    With posts like this, I can see why.

  14. Sometimes I wonder... by DarKnyht · · Score: 2, Insightful

    It makes me wonder why any financial institution would still design their websites to require Internet Explorer and/or Active X. Seems sort of like putting up guide rails at a bowling alley and then expecting everyone to bowl gutter balls.

    --
    Voting them all out of office, now that's change I can believe in.
  15. Informative? More like "+1, Sounds Kinda Right." by Anonymous Coward · · Score: 2, Informative

    Wrong on two counts:

    1. Every ActiveX object is a COM object, but not every COM object is an ActiveX object. This is not a pedantic distinction.

    2. IE is no more integrated with the OS than Webkit is in KDE: the rendering libraries are considered part of the OS, and the plugin mechanism previously discussed operates there as well.

    Please know more about the technology before making unfounded assertions.

  16. Re:Isolate! HA! by VulpesFoxnik · · Score: 2, Funny

    NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE

    So I guess you don't use any Operating System then?

    No, He prefers to communicate using God's language, machine code.

    --
    RES PUBLICA NON DOMINETUR