Attacks Against Unpatched Microsoft Bug Multiply

CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

server side scanning

[gad_zuki!]

Why dont web hosts scan for hosted vulnerabilities? I imagine a nightly clamav scan by web hosts would make all the difference in cases like these where there is no patch yet but there is an web-based exploit. Heck, some users dont even patch, as was shown by Conficker, which was patched in October and spread like wildfire in January.

Re:server side scanning

[koreaman]

You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?

If so, probably just a case of lazy and/or clueless administrators.

Re:server side scanning

[Stan+Vassilev]

You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?

If you read the small print in the ToS you'll see they entitle themselves to doing anything they could imagine. Even if it was not in the ToS, adding it in there is trivial.

The reason they don't do it is one of pure economy. Integrating and running antivirus programs daily on a server is not free. It slows down the server (so they can pack less sites per server), it means license/support contracts (even if the basic software is free), means the staff spending time on integrating and supporting this feature.

At the same time, browser exploits are simply small static files that don't affect or abuse the server in question in any significant way. If they scan, it would be just to protect the site visitors, which are not a party that matters to web host providers. So, unless site owners decide they would rather take their business with a host who scans, the hosts have no interest to implement this.

Firefox 3.5?

[HTH+NE1]

Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.

Re:Firefox 3.5?

That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.

False analogy. Better analogy:

    It's like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their keyless entry sytem is also flawed but luckily since fewer people drive Chevy's (and Ford drivers are usually foolish enough to park their car in front of a big warehouse with a sign that says "Not a chop shop") no one's bothered to learn how to break in to a Chevy yet.

Re:Firefox 3.5?

[recoiledsnake]

Wrong. The details are public and exploits could be happening in the wild. How do you know they're not?

From http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html

Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online.

Re:Ohh noes....

[erroneus]

Apparently, a lot given that the attacks are becoming more intense and frequent.

My guess is that when Office installs, various ActiveX controls are linked into the OS and by extension, the web browser MSIE. But there are lots of places where this should never have happened.

1. ActiveX has been proven time and time again to be a very bad idea. It is not sandboxed. There is no way to keep it away from the rest of the OS.
2. The web browser's integration with the OS. Not only has it been ruled illegal by various nations antitrust courts, but any exploit of the browser also exploits the OS by extension.

kill bits

[HTH+NE1]

A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.

Well, Computer World (and CWmike in particular), perhaps more users would take advantage of the protection if you would provide them a link telling them how when you first mention it rather than wait until the end of the article where they may not associate it as being the aforementioned solution.

My solution for ActiveX (no, not installing Linux)

[istartedi]

I use the IE security settings. Yes. It works. The only real problem with it, is that they are a bit convoluted for ActiveX. I had to slow down and think before I got what I wanted, which is essentially to have any web site that wants to run ActiveX prompt me, and then I can choose to accept (but virtually never do).

Notice to web developers: If your site requires ActiveX, and it's not an absolutely essential service from a company that I can yell at, I will go someplace else. IIRC, I have one online financial service that fits that category.

Otherwise, I DON'T NEED ACTIVEX. NOBODY REALLY DOES. ANYTHING WORTH DOING CAN BE DONE WITHOUT IT.

And yes, that's shouting. It needs to be shouted loud enough for these people to hear it. It needs to be shouted again, and again. ActiveX belongs with IE6. Actually, it should have been killed off many revs before that. It should have been shot down by somebody who countered the suggestion at the very first meeting where it was discussed. Maybe somebody had the flu that day.

Only 9 posts?

[Culture20]

Apparently everyone using IE or FF 3.5 is waiting for updates before posting.

Re:Active X again?

[mkavanagh2]

I believe Microsoft thinks ActiveX is sandboxing.

They have

[Sycraft-fu]

If you go read the notice, you find out that Vista and Server 2008 aren't affected. Reason is that IE has a sandbox mode on those OSes (Windows 7 too) for things like that. However, it relies on changes to the OS so it hasn't been backported to XP and I don't know that it could be easily.

So yes, they have sandboxed ActiveX, but it applies to newer versions of Windows only.

Re:Active X again?

[Penguinshit]

Sandbox?

What ActiveX needs is a pine box

Re:Ohh noes....

[sc0ob5]

You'd be surprised how many people do it. In fact so many people do it where I work that I put a reghack in the logon script to make it so that all XLS files are opened with excel and not IE.

"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags",00000008,"REG_DWORD"

I didn't put it in place for this vulnerability though, just because a lot of people use macros and don't know how to save as.

Re:Ohh noes....

[OverZealous.com]

Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.

My head didn't stay unexploded while I wasn't unreading this unstatement.