Saturday, March 20, 2010

IE exploit on IE6.0 and Windows XP SP2


Exploit code for the zero-day hole in Internet Explorer linked to the China-based attacks on Google and other companies has been released on the Internet, McAfee said on Friday. Also, the German federal security agency issued a statement on Friday urging its citizens to use an alternative browser to IE until a patch arrives.
McAfee researchers have seen references to the code on mailing lists and confirmed that it has been published on at least one Web site, the company's Chief Technology Officer George Kurtz wrote in his blog. "The exploit code is the same code that McAfee Labs had been investigating and shared with Microsoft earlier this week," he said.
Attack is the latest problem/error in how the "createTextRange()" method is processed on a radio button control. "This can be exploited by a malicious Web site to corrupt memory in a way [that] allows the program flow to be redirected to the heap. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.
The flaw is discovered by secunia Secuirty company in their advisory..
SANS Internet Storm Center (ISC) raised its Infocon to yellow
SANS says this exploit is available in Metasploit, but as far as they are aware at this moment there are no automated tools taking advantage of the exploit and widely attacking the internet.   The exploit currently affects a version of the product that is two major revisions behind the current release, and should really not be widely used anymore.  Easy work arounds are available by utilising other browsers or products, signatures are available from the AV vendors and the patch should be available in the next 3-4 weeks.
"The irresponsibility of releasing such a dangerous exploit will require systems administrators to take drastic action to protect their systems," Scott Carpenter, director of security labs at Herndon, Va.-based Secure Elements Inc., said in an e-mailed statement. "When vulnerable home systems are added into the equation, Internet Explorer users can expect a virus or worm in the very near future. The most probable vector for this worm will be in the form of spam with malicious links that will tempt users into clicking on a link that takes them to a malicious Web site."
Microsoft's Response:
Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site," he said in an e-mail. "Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. They also added that , "Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will either take the form of a security update through our monthly release process or providing an out-of-cycle security update."
Temporary Recommendation:
Meantime, Microsoft said users can protect themselves by configuring IE to prompt before running Active Scripting or by disabling Active Scripting in the Internet and local intranet security zone. Users can also set Internet and local intranet security zone settings to "High" to prompt before running Active Scripting in these zones.
Complete story is on here