March 24th, 2006

Malware pushers already using zero-day exploit

Posted by Suzi Turner @ 2:18 pm

Categories: Security and prevention, Spyware/adware warnings

Tags:

Yesterday the news hit about another zero-day exploit for Internet Explorer with code publicly available and today the malware pushers are already using the exploit. George Ou has a good post about the exploit including instructions on how to turn off active scripting for home users and for all computers in a domain.

The Secunia advisory here says:

The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

This vulnerability has been confirmed on a fully patched Windows XP SP 2 system running Internet Explorer 6 and affects IE 7 Beta 2 preview released in January.  Other versions may be affected. AFAIK Firefox, Mozilla, Opera and not affected. Microsoft advisory here.

SANS has raised InfoCON to yellow. Ed Skoudis wrote:

At the urging of Handler Extraordinaire Kyle Haugsness, I tested the sploit on a box with software-based DEP and DropMyRights… here are the results:

Software-based DEP protecting core Windows programs: sploit worked
Software-based DEP protecting all programs: sploit worked
DropMyRights, config’ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
Active Scripting Disabled: sploit failed

So, go with the last one, if you are concerned.  By the way, you should be concerned.

Security and spyware researchers have already seen sites in the wild running this exploit. Some appear to be hacked sites using iframes. Network admins and ISPs are being notified. One such hacked site was downloading a keylogger.

For Windows users — even if you use Firefox or Opera, I recommend you disable active scripting because a lot of apps will cause IE to open. If you disable active scripting, you might need to put some sites in your Internet Explorer trusted sites zone for certain features to work.

Update 5:40 PM: Websense is reporting a rapid increase in sites using this exploit. At the time of the blog post, nearly unique 100 URLs  had been found attempting to run this exploit. There is also suspicion that web server expliots are being used to compromise sites intended to be used to run the IE exploit. Travel related websites and sites using phpBB are mentioned.

Network/sys admins, webhosting companies and webmasters – *please* secure your web servers!  I’ve read some shocking evidence of lack of knowledge regarding security of web servers, mostly Apache servers, on various webhosting and webmaster forums.  It’s truly frightening.