MSIE Zero-Day exploit in use on the Web
FYI...
- http://www.eweek.com/article2/0,1759...129TX1K0000614
September 18, 2006
"Security researchers at Sunbelt Software have discovered an active malware attack against fully patched versions of Microsoft's Internet Explorer browser. The exploit has been seeded at several porn sites hosted in Russia and is being used to launch drive-by malware downloads that appear to be hijacking Windows machines for use in botnets. eWEEK has confirmed the flaw—and zero-day attacks—and on a fully patched version of Windows XP SP2 running IE 6.0. There are at least three different sites hosting the malicious executables, which are being served up on a rotational basis. According to Eric Sites, vice president of research and development at Florida-based Sunbelt Software, the vulnerability is a buffer overflow in the way the world's most widely used browser handles VML (Vector Markup Language) code. The attack is linked to the WebAttacker, a do-it-yourself malware installation toolkit that is sold at multiple underground Web sites. "Once you click on the site, the exploit opens a denial-of-service box and starts installing spyware," Sites said. He said the exploit can be mitigated by turning off JavaScript in the browser..."
- http://sunbeltblog.blogspot.com/2006...oit-being.html
=============================================
- http://secunia.com/advisories/21989/
Release Date: 2006-09-19
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
...Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, this is currently being exploited in the wild.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution:
Do not visit untrusted web sites.
Deactivating Active Scripting will prevent exploitation using the currently known exploit..."
===========================================
- http://blog.washingtonpost.com/secur...loit_spel.html
September 18, 2006; 10:25 PM ET
"...If past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage... Among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user. The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff..."
===============================
- http://www.symantec.com/enterprise/s...ay_exploi.html
September 19, 2006
"...We have confirmed that this exploit takes advantage of a bug in VML (Vector Markup Language, which is an XML language used to produce vector graphics) to overflow a buffer and inject shell code. The exploit then downloads and installs multiple Security Risks, such as spyware, on the compromised machine... Although Microsoft has already been informed, at the time of writing there is no patch available for this particular exploit. Mitigating strategies include disabling JavaScript in Internet Explorer and using non-vulnerable browsers..."
> http://www.symantec.com/enterprise/s...091914-1801-99
===============================
Microsoft Internet Explorer VML stack buffer overflow
- http://www.kb.cert.org/vuls/id/416092
Last Updated - 09/19/2006
============================================
- http://blogs.technet.com/msrc/archiv...19/457560.aspx
Microsoft Security Advisory (925568)
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/925568.mspx
Published: September 19, 2006
"Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited. A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs...
Workarounds -
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified..."
(More detail at the MS Advisory URL.)
============================================
- http://www.websense.com/securitylabs....php?BlogID=81
Sep 20 2006
"The recently reported VML Internet Explorer "zero-day" exploit now has attack code publicly posted on the web. Although the first version results in a denial of service and not escalated privileges, we expect to see public posts of exploit code that does allows a user to run code without user-interaction. This may result in increased attacks based on the fact that there are no patches available and often "copy-cat" attacks that simply cut and paste P.O.C. code often occur after public release."
