Coffeehouse Thread

35 posts

New exploit in IE

Back to Forum: Coffeehouse
  • User profile image
    ZippyV

    Let's see how long it takes for the patch to come out.

    http://www.neowin.net/comments.php?id=21670&category=main

  • User profile image
    Larry​Osterman

    I'm not saying it's not real, but I'm surprised that it hasn't hit BUGTRAQ or NTBUGTRAQ yet.

    It's also suspicious because they're describing an exploit that apparently is embedded inside images.

    This would imply that it's a vulnerability in one of the image rendering formats, like TIFF, JPG, or GIF.

    If such a vulnerability exists, it's likely that it hits all browsers, not just IE.

  • User profile image
    lars

    Another 0day? I'm getting a strange feeling of déjà vu.

    /Lars.

  • User profile image
    ZippyV

    Is Microsoft investigating it?

  • User profile image
    lars

    Interesting. I wonder what eWeeks "Security experts" source is. Hope Microsoft is already hard at work fixing it. Break out the whip. Smiley

    /Lars.

  • User profile image
    Larry​Osterman

    Beats me, I don't work in MSRC.

    I'd be surprised if they weren't, but that all depends on if this is real or not.

    It also depends on if this is a new exploit or not.  It might not be, there have been exploitable bugs in image decoding before.

    Edit:  One thing to keep in mind here:  AFAIK, NeoWin.Net makes it's money by being as sensationalist as possible, so does eWeek.  It's also critical for them to put news up as quickly as possible to avoid being "scooped". 

    Neowin in particular has a reputation of putting up news first and then verifying it.

    I'm not saying this isn't real.  It very well may be.  But it'll be interesting to see how it plays out.

    As I said before, if it was real, I'd expect that NTBUGTRAQ or BUGTRAQ would be all over this, but there's been no traffic on it so far today.

    It may just be a slow day on the lists though, this could be another 0day exploit.

  • User profile image
    scobleizer

    They almost certainly are. But, if you ever find an exploit please let us know at secure@microsoft.com -- they do watch that alias and respond to it (I know, I've sent a few things over there).

    Stay tuned to http://www.microsoft.com/security/ for more updates.

  • User profile image
    Larry​Osterman

    Good point Robert.  secure@microsoft.com IS monitored, 24x7 (we've had people report problems on Sunday morning at 1am and because we didn't respond to the vulnerability within 12 hours they assumed we weren't listening and instead of working with MS, they just publicly announced the vulnerability).


    I'm still not convinced about the reality of this one.

    I looked at Netsec's web site and they don't have any information on it, which is actually good, because it implies that they're not announcing this to garner publicity for their company (this has happened before).

    One of the issues with security is that for every eEye or NGSB out there, there are a bunch of people who would love to sell their products and are more than willing to cry wolf in order to increase their sales.

    That's actually why I'm suspicious.  Usually news of this kind of thing starts showing up on bugtraq before it hits the press.

    The fact that Netsec hasn't put up a press release indicates that it's possible that they're working with MSRC to figure out what's going on.  Which would be a good thing.

    If it's real, there should be an announcement of some kind soon.

  • User profile image
    Larry​Osterman

    Info from symantec on the virus:
    http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html

    From Ziff-Davis:
    http://zdnet.com.com/2100-1105_2-5247187.html

    The same article from MSNBC:
    http://www.msnbc.msn.com/id/5290386/


    The vulnerability being exploited (according to ZD):
    http://zdnet.com.com/2100-1105_2-5229707.html?tag=nl

    The vulnerability in question was reported by Jelmer on Bugtraq about a week ago, XP SP2 isn't vulnerable to it.

  • User profile image
    jonathanh

    More information from the Internet Storm Center, including the filenames found on compromised IIS systems, and the evidence to look for in proxy logs: http://isc.incidents.org/

  • User profile image
    jonathanh

    Ok, Microsoft's security team are calling it "Download.Ject".  Here's the recommended steps for sysadmins to take:
    http://www.microsoft.com/security/incident/download_ject.mspx

    Currently looks like systems running IIS 5 on unpatched Windows 2000 are vulnerable.

  • User profile image
    ZippyV

    But what about Internet Explorer?

  • User profile image
    Larry​Osterman

    Apparently the tact that's being taken is to fix the vulnerable IIS machines.

    I'm not 100% sure why, because it seems to me that this just fixes this particular vector of the vulnerabilty, but...

  • User profile image
    manickernel

    I am following Eeye suggestion and doing following registry edit for about 1000 users Monday, let you know how it goes. Have tested a couple of days and seems ok.

    http://www.eeye.com/html/research/alerts/AL20040610.html

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}]
    "Compatibility Flags"=dword:00000400

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta]

    Thanks Microsoft, I was one of your biggest supporters in my organization.

    Linux looks better every day, and Opera/Firebird are a slam dunk.

    Vance

  • User profile image
    scobleizer

    Microsoft has released a security alert. We have a team that is dedicated to these kinds of crisis situations.

    They publish their findings at microsoft.com/security.

    If you find a new exploit, or know of some security problem on one of our products, please send email to secure@microsoft.com.

    Already this page has been updated a few times in the past 24 hours. If you think you have a security problem with a Microsoft product, please check the security site.

    If you just want to make sure you are protected, then visit microsoft.com/protect.

  • User profile image
    lars

    XPSP2 where arth thou?

    If
    this exploit uses the 'Jelmer vulnerability', fixing IIS still leaves MSIE open for someone else to exploit. Come on, either get XPSP2 out the door or fix ADODB.Stream already.

    Hmm. Symantec has named it JS.Scob.Trojan. Are you moonlighting Scoble? Smiley

    /Lars.

  • User profile image
    Knute

    manickernel wrote:


    Thanks Microsoft, I was one of your biggest supporters in my organization.

    Linux looks better every day, and Opera/Firebird are a slam dunk.

    Vance


    Vance, Come on man. When linux gets big enough the script kiddies will attack it as well. They get more bang for the buck by attacking MS right now.

    ~ Knute

  • User profile image
    lars

    True that. It's not like Linux based systems are unheard of on Bugtraq or Full Disclosure. No one is perfect (including me).

    /Lars.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.