Topic: Browser

Exploit Wednesday follows MS Patch Tuesday

Summary: Less than 24 hours after Microsoft shipped fixes for code execution holes in Internet Explorer and Windows, proof-of-concepts for remote exploits are popping up on the Internet.

By Ryan Naraine for Zero Day | June 13, 2007 -- 11:02 GMT (04:02 PDT)

Follow @ryanaraine

Less than 24 hours after Microsoft shipped fixes for code execution holes in Internet Explorer and Windows, proof-of-concepts for remote exploits are popping up on the Internet.

On security mailings lists and at the Milw0rm.com site, there are at least three exploits circulating. These provide a roadmap for attackers to launch remote attacks to take complete control of an Windows machine.

Two of the three target gaping holes in the dominant Internet Explorer browser -- flaws that could be exploited by simply luring the target to surf to a Web page. (See exploit code here and here).

The vulnerabilities -- in the Microsoft Speech API ActiveListen and ActiveVoice ActiveX controls -- have been patched with the MS07-033 bulletin so it's important to treat that update with the highest possible priority. * [ SEE: ‘Critical’ Vista, IE 7 patches highlight MS security updates ]

Will Dorman of the CERT Coordination Center explains the real-world risks:

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.

This patch applies to Internet Explorer 7 on Windows Vista.

Proof-of-concept code for a third exploit was released by Thomas Lim of COSEINC to provide technical details of of a "critical" flaw in the Secure Channel (Schannel) security package in Windows. This bug was patched with MS07-031.

* See step-by-step instructions on configuring Internet Explorer to run securely in our image gallery.

Topics: Browser, Microsoft, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

55 comments

Log in or register to join the discussion

Here we go again !?!?!?!?

The patches were just released yesterday , and now today we have P.O.C.'s on these exploits . Oh damn , now who was it that said that Microsoft Vista is by far the most secure and stable OS on the planet . Also I noted to Ye and a few others about the dangers of ACTIVE X last month . Anyway all I have to do is keep my kids off their Windows box and my network is safe .

P.S. This goes out to Shelendrea

A patch for a patch that was suppose to fix the problem in the first place .

Intellihence
13 June, 2007 11:35

Reply Vote
- See my post.
  
  I think the world would be a better place if ActiveX just went away, but what, seriously should MS do. Not patch because it will lead to vulnerabilities for those who don't patch? The exploit fault needs to lie squarely on the shoulders of the scumbags who write it, not MS.
  
  Having the problems in the first place, no comment. Vista more/less secure, no comment, maybe in 6 months to a year (certainly more secure than previous Windows). ActiveX should die, I agree completely. javascript should die, agree completely. Both enable ease of use, and are just really really crappy in terms of security.
  
  TripleII
  
  TripleII-21189418044173169409978279405827
  13 June, 2007 11:44
  
  Reply Vote
- You keep saying that
  
  Please post a link to where someone explicitly called Vista "by far the most secure and stable OS on the planet" (besides yourself, that is). If I recall, it was called the most secure and stable WINDOWS, not OS.
  
  Carl Rapson
  
  rapson
  13 June, 2007 12:23
  
  Reply Vote
  - Here you go
    
    I was saving this for another time, but. It is too soon to tell how secure or not Vista is, imho.
    
    http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=31710&messageID=585291&start=9
    
    TripleII
    
    TripleII-21189418044173169409978279405827
    13 June, 2007 12:39
    
    Reply Vote
    - Nice!
      
      ]:)
      
      Linux User 147560
      13 June, 2007 13:00
      
      Reply Vote
    - Danske Tripell for saving my *ss this time .
      
      I owe you one . I've been hearing for months from many that Vista is the most secure and most stablest OS in the world . I on the other hand refused to believe it . You ask why ? hey these are Microsoft products we are talking about here . Like so many here , that have blatantly called Windows SWISS CHEESE . <---Not a security model to be admired is it ?
      
      Intellihence
      13 June, 2007 13:17
      
      Reply Vote
      - Swiss cheese
        
        has a certain security value you might not have considered. It keeps the guard mice from leaving the area! :)
        
        Freebird54
        16 June, 2007 05:22
        
        Reply Vote
  - Dunno about "explicitly"...
    
    But searching about I found this article:
    http://www.betanews.com/article/Microsoft_Vista_Most_Secure_OS_Ever/1150366131
    Which starts off by saying: "Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry."
    
    This article seems to be found in several places via google using advanced search for '"Bob Muglia" TechEd 2006' as the criteria.
    So I started looking for the keynote and found this:
    http://teched06.blogspot.com/
    Which, down in the text, points to some video of the keynote. I can't seem to get to the site.
    
    So did he or didn't he? I wasn't there to report.
    
    Cardinal_Bill
    13 June, 2007 13:00
    
    Reply Vote
    - He did .
      
      Also I believe Ballmer made the same claim . Now here is the real funny part , vista is what , like only a few months old and it's already being targeted . A few months ago I said that vista's security model would be in shambles by the end of this summer . Let's see how much of what I said is true . By the way things are looking currently , I beleive I may be right .
      
      Intellihence
      13 June, 2007 13:13
      
      Reply Vote
      - PSSST.....
        
        'I' BEFORE 'E' EXCEPT AFTER 'C'. Gotcha =-)
        
        Shelendrea
        13 June, 2007 14:56
        
        Reply Vote
      - Gotcha
        
        It must have been a typo , usually I get the spelling right .
        
        Intellihence
        14 June, 2007 02:27
        
        Reply Vote
- ROTFL
  
  I can't believe that you remember that! =-)
  BTW- I believe it was more along the lines of the patch that patch the patch that patched the patch that was supposed to patch the patch from last month =-)
  
  On another note..... I did think that Vista WAS supposed to be more secure.
  Also (and this goes for any OS, product, platform... take your pick) when they patch something (ie FIX it) theoretically there shouldn't be a way to get through it.
  
  Shelendrea
  13 June, 2007 14:36
  
  Reply Vote
- Why do you gloat so?
  
  Do you gain some sort of sick twisted pleasure from the misfortune of others? Are you emotionally attached to a piece of software? Do you need to validate you feelings of self worth vicariously by affiliating yourself with an OS?
  
  Duke E. Love
  15 June, 2007 10:53
  
  Reply Vote
Rock and a hard place

for MS. Fix the exploits and the scumbags of the world pounce trying to exploit those who have not patched. I wonder if it is finally, finally time to eliminate and move away from ActiveX. Imagine how much easier life would be for MS is ActiveX just went away. (I feel basically the same about javascript).

I want to put kudo's out there to MS for patching, working to make things more secure for the user, but I do want to ask the experts here, what, really is critical in ActiveX that it couldn't be done in .net, or java, or some other way?

In the history of patches, and infections, how much can be attributed back to ActiveX.

TripleII

Again, javascript is no better and probably worse in terms of the current security model.

TripleII-21189418044173169409978279405827
13 June, 2007 11:39

Reply Vote
- Microsoft needs ActiveX to destroy Java...
  
  Microsoft needs ActiveX to destroy Java, so Windows users will have to suffer for a while longer.
  
  olePigeon
  13 June, 2007 12:28
  
  Reply Vote
- Performance
  
  "what, really is critical in ActiveX that it couldn't be done in .net, or java, or some other way?"
  
  Performance. ActiveX controls are compiled, binary code, meaning that it runs with as fast of performance as possible. Contrast that with Java or .NET which are compiled at runtime.
  
  I can't imagine Flash, especially when decoding and playing video, getting decent performance if it was written as a Java applet or .NET plugin. ActiveX is the way to go.
  
  P.S. These aren't bugs in IE or in its ActiveX support. These are bugs in the actual ActiveX controls (COM objects) themselves (the speech/ActiveVoice objects). IE is the primary attack vector, but other ones exist, for example a Microsoft Word document that uses the object.
  
  PB_z
  13 June, 2007 13:02
  
  Reply Vote
- ActiveX not inherently (much) more dangerous than Java
  
  ActiveX is just another platform to write apps on. I think the biggest problem with ActiveX has not be the technology itself but the crap implementation.
  
  Examples are the dozens of IE exploits over the years that allowed drive-by installs of activex controls, and the confusing installation confirmation interface (A simple box with uninformative text and yes/no buttons) in early versions of IE.
  
  Since ActiveX controls are installed globally, and can do anything that any other program can do, they rightly require admin rights to install. But that never mattered one bit since Microsoft gave admin rights by default in XP.
  
  I think the problem with ActiveX came down to it being so damn easy to install controls. It's already super easy to install new software on Windows. ActiveX + IE made it so that instead of having to download and executable, and run it (which some newbie computer users have trouble doing) all you had to do was click one button.
  
  The sort of havoc caused by ActiveX controls can by caused with Java applets too, so I wouldn't be so quick to proclaim Java (or .NET or whatever else) as the savior.
  
  I remember a thread in a security forum (dslreports.com) started by someone who used Opera exclusively and somehow got infected with nasty spyware while browsing the web. This person was shocked and wanted to know how he could have been infected. It turned out he was running a slightly outdated versions of Suns JRE, which was affected by multiple vulnerabilities that allowed remote code execution, and/or "drive-by installs".
  
  toadlife
  13 June, 2007 13:05
  
  Reply Vote
  - Thanks for the info
    
    I do concede the problem is much more prevalent with older versions on non Vista where the user priveledge is not admin. In any case, java running as admin is about as bad. I was also looking to start a discussion on something other than the usual. :D
    
    TripleII
    
    TripleII-21189418044173169409978279405827
    13 June, 2007 14:20
    
    Reply Vote
Don't forget the rules!

These are non-issues according to the following rules:

1. User level exploit (on Vista).
2. PoC only.
3. Requires user intervention.
4. Already patched.

Vista...100% unscathed so far.

ye
13 June, 2007 11:54

Reply Vote
- Ye you are in denial .
  
  When are you going to get it through your thick head that the 400.00 you spent on Vista was not worthwhi;e . ROTFLMAO !!! Bill Gates took your money and ran .
  
  Intellihence
  13 June, 2007 11:59
  
  Reply Vote