IE Flaw Exploit In Hacker Kit 'Raises the Stakes'

CWmike writes "Roger Thompson, chief research officer of AVG Technologies, said Sunday that an exploit for the newest IE flaw had been added to the Eleonore crimeware attack kit. 'This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day,' Thompson said on his company's blog. Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then."

Re:Attack Kit?

There's this new tool you really should check out.

Re:Bug is really for Windows XP

[MightyMartian]

I don't see the problem here, providing permissions on registry keys is set up appropriately. At the end of the day, browsers like Firefox and Chrome can modify files in the filesystem.

Re:Bug is really for Windows XP

[CoderJoe]

And it's even possible for a browser to alter the registry exactly why???

Because it is a program, just like any other, and needs to be able to store its own settings somewhere. For many windows programs, this somewhere is the registry.

(who modded this insightful?)

Re:Bug is really for Windows XP

[hweimer]

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

DEP has been broken by return-oriented programming. The fact that most exploits don't use it just means that they catch enough victims simply by using the old techniques.

Re:Bug is really for Windows XP

[dimeglio]

I believe the registry keys we're having an issue with are those, for example, which control application startup enabling malware to install, and not the browser's settings.