View Full Version : Zero-day Ie Exploit Just The Beginning


Andrew
10-02-03, 06:34 PM
*ZERO-DAY IE EXPLOIT JUST THE BEGINNING
A zero-day exploit targeting an Internet Explorer vulnerability (versions 5 and forward) is being used to install a Trojan. Experts warn that it's only a prelude to a series of attacks that are likely to wreck havoc given the number of unprotected systems.

"This zero-day exploit is huge. It will likely be a major, and highly successful, vector of attack upon thousands of computers for some time," says Ken Dunham, malicious code intelligence manager at iDEFENSE. "We have verified that attackers are installing backdoor Trojans and dialers on targeted computers at will."

"Multiple examples of the exploit code are available for attackers to analyze and use in crafting their own attack," adds Dunham. "This type of code availability and underground activity traditionally foreshadows a flurry of malicious attacks."

Microsoft first issued a patch for the 'object type' vulnerability on Aug. 20. The flaw allows an attacker to compromise a system by embedding malicious code in a Web page. If the Web page is viewed with a fully patched IE browser, the malicious code embedded in the Web page will execute. The 'object type' vulnerability patch doesn't prevent this variation of the flaw, but Microsoft plans to issue a fix shortly.

"Microsoft is investigating reports of a malicious Web site that exploits a variation on a vulnerability originally patched in MS03-032," says a Microsoft spokesman. "While we will release a fix for this variation shortly, users can help protect against this newly reported issue by changing their IE Internet security zone settings to prompt them before running ActiveX components. MSO3-032 has been updated to included steps for customizing IE security settings."

Unlike some other vulnerabilities, this one requires no user interaction.

"This isn't a training issue where users are told not to accept certain certificates or controls," says Dunham. "If a computer is vulnerable it will be infected without any user interaction other than simply surfing the Internet." http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

aforceforgood
10-02-03, 10:04 PM
Well, I changed my active-X control to prompt, and promptly got asked if I wanted to allow an active-X script to run while searching for a plane ticket.

Is it ok if it's marked as safe to run?

Or is there any way to know?

Andrew
10-02-03, 10:07 PM
There is no single source to tell you if something is safe or not. It would be helpful if the Active X control was digitally signed, and you trusted the company and website you're accessing.

aforceforgood
10-02-03, 10:19 PM
So basically, until Microsoft comes up with a patch, (and we download and install it) it's best to consider all active-X scripts unsafe to run, right?

Maybe my perception is incorrect, but it sounds like this virus is able to infect websites' servers and masquerade as their active X scripting- is that correct?

Andrew
10-02-03, 10:21 PM
for the paranoid....yes. (P.S. I'm paranoid)

If you trust the site (i.e. you've been there many times before) its probably ok, but CHECK THE URL of the site you're on, just to be sure.

Andrew
10-02-03, 10:30 PM
To clarify, this is a large-scale, concerted effort to install trojans on many, many (in the hundreds, if not thousands) of computers, to be used later for a series of significant Distributed Denial of Service attacks.

Please heed this warning! This is serious, and can effect any and all web services available today.

Wheel1975
10-03-03, 12:23 AM
And Macs are immune again, right?

5 PCs and one Mac!

Andrew
10-03-03, 08:55 AM
You should check Microsoft's website for further details. I have not been able to find any reference to PC vs Mac, but it appears to infer PC.

Andrew
10-04-03, 06:48 PM
Security Update for Microsoft Internet Explorer
http://www.microsoft.com/security/security_bulletins/ms03-040.asp