IE Flaw Exploit In Hacker Kit 'Raises the Stakes'

CWmike writes "Roger Thompson, chief research officer of AVG Technologies, said Sunday that an exploit for the newest IE flaw had been added to the Eleonore crimeware attack kit. 'This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day,' Thompson said on his company's blog. Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then."

Bug is really for Windows XP

This bug is really only a serious problem for Windows XP users. (Yes, I know there are still a lot of them - however there are also a lot of Windows 7 users now and some Vista users). For Vista and Windows 7, since IE runs not just as a standard user, but also with Protected Mode (less than standard user rights and cannot write to the file system or registry outside of some very restricted locations, it isn't really an issue. Hence the lower priority on the patch.

Re:Bug is really for Windows XP

[NetNed]

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

Re:Bug is really for Windows XP

[MightyMartian]

I don't see the problem here, providing permissions on registry keys is set up appropriately. At the end of the day, browsers like Firefox and Chrome can modify files in the filesystem.

Re:Bug is really for Windows XP

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6.

DEP is a hardware-based feature, so it is only "on by default on IE8" when the hardware supports it. There is plenty of old hardware out there either without NX support at all, or with NX disabled by default in the BIOS, perfectly capable of running IE8 and Windows 7, and they are vulnerable. For the former set of hardware, the only software fix is a patch from Microsoft. DEP fixes nothing when NX (or equivalent) doesn't exist.

Re:Bug is really for Windows XP

[benjamindees]

And it's even possible for a browser to alter the registry exactly why???

Broken Windows create jobs.

Re:Bug is really for Windows XP

[NetNed]

No DEP is both hardware based and software based.

Microsoft has software based DEP listed as: "An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor."

You can read all about it here

Re:Bug is really for Windows XP

[CoderJoe]

And it's even possible for a browser to alter the registry exactly why???

Because it is a program, just like any other, and needs to be able to store its own settings somewhere. For many windows programs, this somewhere is the registry.

(who modded this insightful?)

Re:Bug is really for Windows XP

[NetNed]

What windows program can't alter the registry exactly?

Re:Bug is really for Windows XP

[master0ne]

every setting you set in your browser is stored as a registry key. If you set your browser to enable TLS 1.0, thats a boolean reg key that gets enabled, homepage is stored as a.... registry key!

Re:Bug is really for Windows XP

[v1]

And it's even possible for a browser to alter the registry exactly why???

This is simplifying things a bit, but in short, the registry is the one central place where all preferences are stored, for everything, including the OS, its security system, and every single installed application. So at least in hindsight MS tries to stop apps from being able to change each other's registry keys, or add new keys that other systems will use. But the whole thing is basically starting with a sponge and trying to fix the holes one at a time, while the sponge is getting bigger.

Basically if you have unrestricted access to the machine, you own it. And the OS must allow you a somewhat liberal degree of access to function. It's like being forced to allow thieves into a warehouse size department store, and you've only got a handful of guards. There's just so many ways you can lock so much stuff down, you're going to lose. The entire concept is broken, but all the windows apps rely heavily on it, so you either break the world, or live with it. Nowadays most malware removal consists of two steps: (1) delete files and (2) delete registry keys.

How the concept of "registry" survived into vista, let alone 7, astounds me. By XP everyone realized it was a horrible idea.

Re:Bug is really for Windows XP

[CarpetShark]

"Broken Windows create jobs."

I'm a window cleaner, you insensitive clod.

Re:Bug is really for Windows XP

[hweimer]

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

DEP has been broken by return-oriented programming. The fact that most exploits don't use it just means that they catch enough victims simply by using the old techniques.

Re:Bug is really for Windows XP

[NetNed]

Well since TFA talks about a exploit that CAN be stopped by simply running DEP in IE7 or above it really don't matter if DEP has been broken by whatever since the code at hand is only trying to exploit machines where DEP in not installed (IE6) or not on, which could be any IE if a user turned it off for some odd reason.

Re:Bug is really for Windows XP

No DEP is both hardware based and software based.

Nope, DEP is hardware only. What Microsoft calls "software DEP" is nothing more than SafeSEH, which is a totally unrelated and considerably less useful security measure.

Re:Bug is really for Windows XP

[Low+Ranked+Craig]

so you're responsible for those lame MyCleanPC.com ads?

Re:Bug is really for Windows XP

[Blakey+Rat]

And it's even possible for a browser to alter the registry exactly why???

Here's a shocking revelation: browsers can also *write files to the filesystem!*

Oh sure, they try to justify this as some kind of "bookmarks" or "caching" feature, but we know they're just intentionally putting security holes in their software.

(On a more serious note, if the user is running Windows XP, IE 6 or 7, and doesn't have DEP turned-on... then they're probably also running as Administrator, which means the browser can do anything it damn well pleases. Note that this applies to Firefox, Chrome, and Safari also... I don't understand why you find this shocking.)

Re:Bug is really for Windows XP

[dimeglio]

I believe the registry keys we're having an issue with are those, for example, which control application startup enabling malware to install, and not the browser's settings.

Re:Bug is really for Windows XP

[engineer_uhg]

Also, broken Windows creates well-compensated Jobs.

Re:Bug is really for Windows XP

[danomac]

Yes, but the application shouldn't be allowed to alter settings in the registry other than its own.

Re:Bug is really for Windows XP

[hairyfeet]

For those on XP there is an easy way that will probably work to stop this cold. I say probably because I haven't had the time to look for an attack site and play with the code. But on XP you can use the Free Comodo Internet Security or Comodo Av (both free) and under "Defense +" settings choose to run IE always in the sandbox. This will keep IE from doing any real registry or file writing, instead dumping any writes to a virtual registry and file system that is locked off from the OS.

While I agree it is MUCH better to have DEP and ASLR, there are still tons of quite good machines out there that simply don't support those features and are still running XP. For those machines I use Comodo Internet Security and so far I have yet to have a customer or family member running it to come back pwned. Of course I try my damnedest to get them off of IE and onto FF, as we can see with TFA IE is still to big a target.

Re:Bug is really for Windows XP

[The+Grim+Reefer2]

I don't see the problem here,

From the article: "So far, the attacks we have seen only target Internet Explorer 6 and would not have been successful against Internet Explorer 8,"

Neither do I.

Re:Bug is really for Windows XP

[KingMotley]

I have to say that's a pretty ridiculous question. Because the registry is where all the application settings are supposed to be stored. Funny how an application needs access to change things in the registry when that's what it's designed to do.

Re:Bug is really for Windows XP

[Phopojijo]

One reason is because they're dependent on higher-permissions code... which the exploiting code pretends it is by over-writing part of the higher-permission code in memory... such that the next time said code is run, it is no longer there.

That's actually how DEP works... the CPU executes a string of commands... one after another... some from memory, some from cache, some jumps, some sequential... ... then when it sees code marked as "data"... it freaks out and realizes it somehow got misdirected out of "execute" and fell in a data buffer. If DEP wasn't enabled... it wouldn't check to see where it is and would just run it with whatever permissions SHOULD be there. If DEP was enabled... the CPU freak-out would force an instant crash and signal Windows that (x) was terminated because it tried to execute data.

The reason why executing data is dangerous is because it's a section of memory that the programmer said "this should not contain any code... and can be written to by someone other than me".

Which by the way is how jailbreaking Apple products works... you're installing malware on the system to get a higher permission level than the application wishes you to have. The same process you used to usurp admin rights from Apple on your phone is the same process anyone else needs to do to usurp admin rights from Apple on your phone... which is exactly how viruses are made.

Simply put... it's ridiculously hard to write secure code. All you can do is reduce how much access to elevated permission code you have... and fix any errors as you, or someone, finds them.

Re:Bug is really for Windows XP

[RaymondKurzweil]

Fuck you... this is an issue of a fundamental freedom. An application as powerful and useful as a browser should have the right to alter an setting in the registry it wants!!

Re:Bug is really for Windows XP

[metrix007]

What rubbish. A process started as a user can do anything a user can do. That's because current security models are shit. It's no different that under *nix any process started as a user can edit any dotfles in the users home directory.

Re:Bug is really for Windows XP

[francium+de+neobie]

But there's no information proving that a coder in-the-know can't turn the DEP-inactive exploit into a DEP-active exploit.

Re:Bug is really for Windows XP

[Peeteriz]

Windows registry does not really have a secure concept of "app's own settings" - apps are encouraged to limit their settings to registry tree with the vendor and app name, but there's no secure mapping that would allow to check if virus.exe is or isn't really 'Microsoft\Internet Explorer'.

And it's the same with unix config files - what's stopping an exploit in linux firefox from writing not to FF settings file in your home directory, but to some other applications configfile?

Re:Bug is really for Windows XP

[NetNed]

Sure there is if you RTFA. Since the story says DEP in IE8 stops it from affecting it I would have to go on that. Could the code be changed in the future to break DEP? Sure, but then it is a different code and a different problem. The code in the story we are talking about can't. We can fantasize about what any code in the open can do, but at this point in time with this code, no it can't break DEP.

Re:Bug is really for Windows XP

[NetNed]

So you didn't RTFA? Or click the link I posted? Really, it's just a link to Microsoft's page on DEP where it talks of Software DEP, the one that stops this attack from happening. I'm sure there are other exploits that find it easy to surpass software DEP, but in this one software DEP, which is real and is what the original story is talking about, is more then enough to stop this exploit. That is why Microsoft hasn't really been quick to issue a out of sequence update to fix the problem because it only effects IE6 and IE7 if DEP is not on. Since most run IE8 or alternative browsers, then no issue and SOFTWARE DEP is taking care of it.

Re:Bug is really for Windows XP

[f.ardelian]

(who modded this insightful?)

It was probably someone who thought "hmm... where's this browser's config file?"

ie sucks

IE is such a poor piece of technology. Before I enter a serious relationship, in addition to a background check, I also investigate the browser my potential significant other is using. If it's IE, I don't even bother since I don't date dummies.

Re:ie sucks

[PerfectionLost]

My gf uses ubuntu. I think that makes her smarter then me.

Re:ie sucks

[Stratoukos]

You may be laughing, but there was a documentary some years back, I think it's called Macheads, where a woman said in all seriousness that she wouldn't date any guy using Windows.

Re:ie sucks

[blind+monkey+3]

Was she worried about zero date exploits?

Re:ie sucks

[DrSkwid]

What if (s)he's still using Netscape 4 ?

Zero-Day?

Err, I don't really think you can call it a zero-day anymore.

Re:Attack Kit?

There's this new tool you really should check out.

Re:Attack Kit?

I'm sure you could purchase it somewhere, if you wished. Google would probably help. Or, you could just checkout the latest Metasploit SVN, which is probably where the Eleonore kit writers got the exploit. There's been PoC exploit code in there since Thursday.

ASLR is the other line of defense

[judeancodersfront]

Parent is right, it is only a problem for XP users

Re:Do other AV companies handle this

[NetNed]

Not really a AV programs problem as it is that DEP (data execution prevention) isn't available in IE6 and isn't on by default in IE7. IE8 has it on by default so it is not possible to execute the attack on it. So if you are running the latest version of IE8 it is not a issue. OR you could be smart and stop using IE and run Firefox, Chrome, or any other browser that doesn't seem to have as many loopholes, bugs and exploits as IE does.

Re:obligatory southpark reference

[amicusNYCL]

Right, Microsoft was sitting on this goldmine for the past 9 years just waiting to cash it in.

Re:obligatory southpark reference

[by+(1706743)]

Pretty sure 4) follows from 2), thus negating the need for 3).

Now, collecting underwear...therein lies the true mystery.

Re:Do other AV companies handle this

[Spad]

Though at all times it bears remembering that Firefox, Chrome and Others are all vulnerable to serious exploits from time to time.

News really?

[Evil_Ether]

How is Microsoft not fixing a vulnerability news? I say let the Windows users rot in their crapware infested systems!

Re:News really?

[Zaiff+Urgulbunger]

I'd agree... but I also own an Android 2.1 phone! :(

Becuase you are an administrator

[Sycraft-fu]

If you are an administrator of a system that by definition means you can do everything, including modify the registry. If you cannot understand this concept, then you need to learn more about how privilege levels in computers work and come back. There is no power without responsibility. The power to do something is the power to fuck something up.

Now as this applies to this specifically, most people who use Windows XP run as an administrator. They don't have to, you can run as a deprivileged user and indeed we make people here do that at work, but users do not choose to because it is a pain to do. That means any program they spawn runs with permissions to do anything, since that is the whole idea of an administrator. There is nothing special about a web browser, it is just a process. It can write to the registry, drive, or anything else. The OS doesn't put random restrictions on programs.

In Vista and 7, things are a little different. By default, even users flagged as administrators aren't actually running at an administrator privilege level. They run as regular users and have to elevate when they need to. This means that programs they launch without elevation cannot do things such as write to the registry, as that is not a normal user (and thus their programs) have. Also an additional layer of security was introduced called Mandatory Integrity Control. This allows for programs to be launched with even less privilege than a normal user has. This has to be configured per application, and the only thing I know that uses it is Internet Explorer. It restricts access much further, including denying read access to a great deal of what a user can read.

This is all the same deal as with UNIX. Though Windows permissions are different (Windows has far more granular security) it is the same basic thing. If you run a program as root in UNIX it can do everything, including mess with config files not belonging to it and so on. That is the point of root: To have access to everything. You can't grant that access to the user, but somehow deny it to the user's processes, that goes against the whole idea.

The fundamental problem is that people using XP and older run their systems as administrators, because it is easy to do. The first user you make is an administrator (the system must have one) and it doesn't make you make another. That means that all apps have all access.

Re:Becuase you are an administrator

[dbIII]

If you are an administrator of a system that by definition means you can do everything

Not in the weird MS Windows security model where users can lock the root user out (unless that's been fixed, it used to be sold as a feature) - but most of the time your point stands.

Re:Becuase you are an administrator

[metrix007]

You probably wont reply to this, but what the hell are you talking about? Windows having more granular security means it can do all the permutations of permissions available in unix and then some.

Re:Becuase you are an administrator

[fireylord]

My web browser can drive? Ooooh goodie!

I'd watch out with that thout, crashing twice a day would be bad for your insurance premiums

Re:Becuase you are an administrator

[Derek+Pomery]

Uh. More granular, yes, but also different. There were a couple of specific combinations they had issues with when mapping rwxrwxrwx to actual permissions.

Trying to find the mailing list entries now. Last time I ran into this with cygwin was around 8 years ago.
Windows permissions presumably haven't changed too much since then though.

Re:Becuase you are an administrator

[Derek+Pomery]

Found it. That took all of 20 seconds of googling. Let's see how long it takes slashdot to let me repost.

http://www.cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping

Still kinda curious about local overrides to global settings though. Does windows have that concept?

Re:Becuase you are an administrator

[ginbot462]

Does the "Document and Settings (XP)" and "User (Vista/Win7)" folder count for what you are asking? It IS the "~" equiv in Windows. "Application Data" is under there, where app specific settings are.

Re:Becuase you are an administrator

[Derek+Pomery]

Naw. I'm aware of those. We use 'em in our apps.

It is more like automatic override of global settings with user specific ones. Bears some similarity to the HKCU hive, except from my understanding of things, not automatic.

Maybe it's the most popular one

[pinkeen]

But cerainly not the best one - a quick search on youtube yielded great results - check out the liquavista display.

Capitalization

[zooblethorpe]

Broken Windows create Jobs.

Well, that explains quite a bit, actually.

Cheers,

Re:Attack Kit?

[Securityemo]

Author contact details are here: https://damagelab.org/index.php?showtopic=17952&hl=eleonore
The post is from last year, but there's a bump from the autor on the second page. I don't know russian, checked it out using google.

Just a part of the Windows ecosystem

[NicknamesAreStupid]

I wonder if this affects Windows Mobile 7? As I recall, it uses IE7. BTW, did you know that windows kill about a billion birds each year? No shit. They run into them, banging their heads again and again. Before anyone mods this off-topic, please consider the metaphor.

Re:Do other AV companies handle this

[Nerdfest]

Maybe it's my memory, but I don't see the people behind those browsers say "I don't think this is serious enough for an out of band update". Out of band? Fix teh damn bugs as soon as you can and let people install the patches later if that's what makes them happy.

Re:Attack Kit?

[negRo_slim]

I just find it silly that so much of what is being discussed is all based upon this supposed tool with nary a source to be found. This whole seem things more like a plug for AVG than any real discussion on matters of import.

That's a stupid test

[judeancodersfront]

I helped a Doctor with his laptop a while back and he was using.....IE8 (GASP). He must have been dummy. I've also helped people who were dolts when it came to picking up malware and they were running Firefox.

Most people use IE8 because it is good enough and its security is fine as long as you are using Windows 7 or Vista. IE6 sucks, IE8 is just mediocre.

Well, the first step...

[MacGyver2210]

...is to stop using IE for anything. It's a garbage browser.

Why would anyone use it when there's so many higher-quality free alternatives? Firefox? Chrome?

Just let it die.

Re:Attack Kit?

[Securityemo]

Yeah. But on the other hand, actual informed commentary would be lost on anyone but malware analysts/coders. Offensive computing has a sample and some initial dissection data at http://www.offensivecomputing.net/?q=node/1419, but anyone who would actually be interested already knows this.

So?

[Lanteran]

Internet explorer is Internet explorer. If you're using it, you deserve whatever you get.

Re:The same who profit from advertising this

[Securityemo]

No, you're paying to an industry that centers around making itself obsolete.

Re:Do other AV companies handle this

[BCoates]

If the parent post is correct that only IE7 and earlier are vulnerable in their default configurations, the fair comparison would be to update support for browsers a year and a half out of date--are firefox 2.0 or 3.0 still getting timely security patches?

Re:WP7 is ARM based

[judeancodersfront]

Why was this modded down?

Re:Parentheses & Commas:

[uninformedLuddite]

why?

Hmm.

[vegiVamp]

> Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update.

So, this is a zero-day HOW ?

Subject

[Legion303]

So if you read between Microsoft's lines, they appear to be suggesting a temporary workaround of not using IE.