IE Flaw Exploit In Hacker Kit 'Raises the Stakes'

CWmike writes "Roger Thompson, chief research officer of AVG Technologies, said Sunday that an exploit for the newest IE flaw had been added to the Eleonore crimeware attack kit. 'This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day,' Thompson said on his company's blog. Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then."

Bug is really for Windows XP

This bug is really only a serious problem for Windows XP users. (Yes, I know there are still a lot of them - however there are also a lot of Windows 7 users now and some Vista users). For Vista and Windows 7, since IE runs not just as a standard user, but also with Protected Mode (less than standard user rights and cannot write to the file system or registry outside of some very restricted locations, it isn't really an issue. Hence the lower priority on the patch.

Re:Bug is really for Windows XP

[NetNed]

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

Re:Bug is really for Windows XP

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6.

DEP is a hardware-based feature, so it is only "on by default on IE8" when the hardware supports it. There is plenty of old hardware out there either without NX support at all, or with NX disabled by default in the BIOS, perfectly capable of running IE8 and Windows 7, and they are vulnerable. For the former set of hardware, the only software fix is a patch from Microsoft. DEP fixes nothing when NX (or equivalent) doesn't exist.

Re:Bug is really for Windows XP

[NetNed]

No DEP is both hardware based and software based.

Microsoft has software based DEP listed as: "An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor."

You can read all about it here

Re:Bug is really for Windows XP

No DEP is both hardware based and software based.

Nope, DEP is hardware only. What Microsoft calls "software DEP" is nothing more than SafeSEH, which is a totally unrelated and considerably less useful security measure.

Zero-Day?

Err, I don't really think you can call it a zero-day anymore.

Re:Attack Kit?

I'm sure you could purchase it somewhere, if you wished. Google would probably help. Or, you could just checkout the latest Metasploit SVN, which is probably where the Eleonore kit writers got the exploit. There's been PoC exploit code in there since Thursday.

Becuase you are an administrator

[Sycraft-fu]

If you are an administrator of a system that by definition means you can do everything, including modify the registry. If you cannot understand this concept, then you need to learn more about how privilege levels in computers work and come back. There is no power without responsibility. The power to do something is the power to fuck something up.

Now as this applies to this specifically, most people who use Windows XP run as an administrator. They don't have to, you can run as a deprivileged user and indeed we make people here do that at work, but users do not choose to because it is a pain to do. That means any program they spawn runs with permissions to do anything, since that is the whole idea of an administrator. There is nothing special about a web browser, it is just a process. It can write to the registry, drive, or anything else. The OS doesn't put random restrictions on programs.

In Vista and 7, things are a little different. By default, even users flagged as administrators aren't actually running at an administrator privilege level. They run as regular users and have to elevate when they need to. This means that programs they launch without elevation cannot do things such as write to the registry, as that is not a normal user (and thus their programs) have. Also an additional layer of security was introduced called Mandatory Integrity Control. This allows for programs to be launched with even less privilege than a normal user has. This has to be configured per application, and the only thing I know that uses it is Internet Explorer. It restricts access much further, including denying read access to a great deal of what a user can read.

This is all the same deal as with UNIX. Though Windows permissions are different (Windows has far more granular security) it is the same basic thing. If you run a program as root in UNIX it can do everything, including mess with config files not belonging to it and so on. That is the point of root: To have access to everything. You can't grant that access to the user, but somehow deny it to the user's processes, that goes against the whole idea.

The fundamental problem is that people using XP and older run their systems as administrators, because it is easy to do. The first user you make is an administrator (the system must have one) and it doesn't make you make another. That means that all apps have all access.