Microsoft Zero Day security holes being exploited

Discussion in 'Security Software' started by imhotep, Sep 23, 2006.

  1. imhotep

    imhotep Guest

    Microsoft Zero Day security holes being exploited

    "Microsoft has issued warnings about a serious flaw in Internet Explorer
    that allows attackers to hijack a PC via the popular browser

    Researcher Adam Thomas uncovered the exploit which revolves around the way
    that the Internet Explorer browser handles a particular form of graphics
    known as vector graphics.

    A properly crafted webpage can exploit this problem and install almost
    anything they want on the target machine.
    Unusable PC

    Tests by Sunbelt Software on a Windows machine patched with all the latest
    security updates showed attackers installing a huge amount of spyware and
    other malicious programs."

    http://news.bbc.co.uk/2/hi/technology/5365296.stm

    Imhotep
     
    imhotep, Sep 23, 2006
    #1
    1. Advertisements

  2. imhotep

    PA Bear Guest

    <QP>
    Wanted to update you on what we’ve seen to date with the VML issue. Attacks
    remain limited. There’s been some confusion about that, that somehow
    attacks are dramatic and widespread. We’re just not seeing that from our
    data, and our Microsoft Security Response Alliance partners aren’t seeing
    that at all either. Of course, that could change at any moment, and
    regardless of how many people are being attacked, we have been working
    non-stop on an update to help protect from this vulnerability.
    </QP>
    Source: http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx

    Being an alarmist doesn't help anyone.
     
    PA Bear, Sep 23, 2006
    #2
    1. Advertisements

  3. imhotep

    imhotep Guest


    There is no confusion. The attacks are growing...and as the more days go by,
    the number of attacks will grow. Let's hope MS gets going and gets a patch
    out...after all they patched the DRM hole in what 3 days?

    Imhotep
     
    imhotep, Sep 23, 2006
    #3
  4. And here's what Microsoft has to say:

    http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx
     
    Bill Sanderson MVP, Sep 23, 2006
    #4
  5. imhotep

    imhotep Guest

    Replying to the MS blog
    http://blogs.technet.com/msrc/archive/2006/09/22/458266.aspx


    "Attacks remain limited. There?s been some confusion about that, that
    somehow attacks are dramatic and widespread."

    It has been said that ATTACKS ARE GROWING. This is the concern. Maybe right
    now there are limited sites that host these attacks but, what does tomorrow
    bring?

    "Of course, that could change at any moment, and regardless of how many
    people are being attacked..."

    This is the point.

    "So right now we're looking at where we hit that quality bar and if that
    occurs prior to the monthly cycle then we will release."

    But wait. MS can release the DRM patch in three days but you are saying that
    your customers might have to wait up to a month? Why is it a third party
    had a patch out in a couple of days and you can't???


    Sadly, I do not believe "confusion" is the issue here. The real issue is,
    yet again, MS customers are taking the hit for an insecure platform. IT
    professionals are taking the hit for an insecure platform. However, if you
    are the Entertainment Industry, MS will take care of you by releasing a DRM
    patch in record time (3 days). Really, one must question where Microsoft's
    priorities are....

    Imhotep
     
    imhotep, Sep 23, 2006
    #5
  6. Actually, we are just seeing Imhotep's revelation of predispositions
    and inability to comprehend the distinction between QA on a patch
    that impacts a top level application capability with fair limited use as
    compared to an also lightly used code but that is deeply embedded
    in the platform and has had time for potential side-effect to accrete
    around it.

    Frankly, with the simple workarounds available, with the apparently
    low exploitation, I am quite happy to not use the third-party patch
    and to wait for a regression tested release by the MSRC.

    Roger

    PS. What is with your habit of always setting followups to the
    IE sec newsgroup anyway ??
     
    Roger Abell [MVP], Sep 24, 2006
    #6
  7. From: "Roger Abell [MVP]" <>


    | Actually, we are just seeing Imhotep's revelation of predispositions
    | and inability to comprehend the distinction between QA on a patch
    | that impacts a top level application capability with fair limited use as
    | compared to an also lightly used code but that is deeply embedded
    | in the platform and has had time for potential side-effect to accrete
    | around it.
    |
    | Frankly, with the simple workarounds available, with the apparently
    | low exploitation, I am quite happy to not use the third-party patch
    | and to wait for a regression tested release by the MSRC.
    |
    | Roger
    |

    At the same time, the treat is real.

    I was just given the site using a VML Exploit that installs the Goldun Trojan. The average
    user will not mitigate this threat and will be infected in seconds !

    l00p.html

    AntiVir 7.2.0.18 09.23.2006 no virus found
    Authentium 4.93.8 09.23.2006 no virus found
    Avast 4.7.844.0 09.22.2006 no virus found
    AVG 386 09.22.2006 no virus found
    BitDefender 7.2 09.23.2006 Exploit.HTML.Execod.A
    CAT-QuickHeal 8.00 09.22.2006 CVE-2006-4868
    ClamAV devel-20060426 09.23.2006 no virus found
    DrWeb 4.33 09.22.2006 no virus found
    eTrust-InoculateIT 23.73.4 09.24.2006 JScript/Veemyfull!exploit!Trojan
    eTrust-Vet 30.3.3093 09.22.2006 JS/Veemyfull!exploit
    Ewido 4.0 09.23.2006 no virus found
    Fortinet 2.82.0.0 09.23.2006 HTML/MS06.XMLNS!exploit
    F-Prot 3.16f 09.23.2006 no virus found
    F-Prot4 4.2.1.29 09.23.2006 no virus found
    Ikarus 0.2.65.0 09.23.2006 no virus found
    Kaspersky 4.0.2.24 09.24.2006 no virus found
    McAfee 4858 09.22.2006 Exploit-VMLFill
    Microsoft 1.1560 09.24.2006 Exploit:HTML/Levem.C
    NOD32v2 1.1771 09.23.2006 HTML/Exploit.VMLFill
    Norman 5.90.23 09.22.2006 JS/VMLexploit
    Panda 9.0.0.4 09.23.2006 no virus found
    Sophos 4.09.0 09.23.2006 no virus found
    Symantec 8.0 09.24.2006 no virus found
    TheHacker 6.0.1.077 09.23.2006 no virus found
    UNA 1.83 09.22.2006 no virus found
    VBA32 3.11.1 09.23.2006 no virus found
    VirusBuster 4.3.7:9 09.23.2006 JS.ExpDL.A

    Trend Micro 781 09.23.2006 EXPL_EXECOD.A
     
    David H. Lipman, Sep 24, 2006
    #7
  8. imhotep

    imhotep Guest

    No actually we are seeing Roger Abell's overly verbose excuses. Yet again.
    To think that the World's richest software company can't fix a serious
    patch in a reasonable amount of time is inexcusable (not doubt Roger will
    try though). To think that a third party can release a patch in 2 days but
    the World's richest software company can't is inexcusable. To think that
    Microsoft can patch a DRM security hole in a record 2-3 days leads one to
    believe that Microsoft's priorities are somewhere other than their users
    and that is inexcusable. The fact that Roger Abell is trying to defend the
    obvious ineptness of Microsoft is well, hilarious.
    The simpleset work around being what? Use Firefox? Then we agree. Better
    yet, the *best* work around is to ditch Microsoft all together and get an
    Apple or Linux PC....

    Imhotep
     
    imhotep, Sep 24, 2006
    #8
  9. imhotep

    imhotep Guest

    It really make my blood boil knowing that they patched the DRM security hole
    in a couple of days, yet I am sure by the time this patch comes out a crap
    load of people will get infected...

    So I guess the Entertainment Industry is more important?

    Imhotep
     
    imhotep, Sep 24, 2006
    #9
  10. Talk about verbose !!

    I am defending nothing.

    Now just why do you think that I choose to post a new thread on
    this the day that the exploit became public ??
    Because it had potential and because the advisory and other available
    info provided means for protecting against the threat.

    A discussion of a specific threat is NOT the venue to attempt to
    discuss other, tangential at best, issues, such as time to delivery
    of other fixes, who is in whose bed, etc..

    PS. can you not control your newreader and its use of followups?
     
    Roger Abell [MVP], Sep 24, 2006
    #10
  11. imhotep

    imhotep Guest

    ....and I thanked you. As you did the right thing.
    Time to patch is most definitely relevant to all security holes especially
    when the code to do exploit the security hole is all over the 'net...

    Now as I stated before, it is shamefull that the DRM patch was 3 days but it
    seems that people will have to wait a month (maybe more?) for this security
    hole to be patched. Now come on. Even a Pro Microsoft guy like yourself,
    must be a little angry at how the Entertainment Industry gets taken cared
    of while users and corporations are getting substandard attention....

    Imhotep
     
    imhotep, Sep 24, 2006
    #11
  12. imhotep

    imhotep Guest

    I guess this shoots your theory to crap, eh? Oh yea, I bet they are lying
    too...

    "Hackers gained access to HostGator's servers late Thursday and began
    redirecting customer sites to outside web pages that exploit an unpatched
    VML security hole in Internet Explorer to infect web surfers with trojans.
    The existence of the new "0-day" exploit of cPanel leaves a large number of
    hosting companies vulnerable to similar attacks until they install the
    patch. The risk is mitigated somewhat by the fact that it is a local
    exploit, meaning any attack on a host must be launched from an existing
    account with cPanel access."

    From: HostGator: cPanel Security Hole Exploited in Mass Hack
    http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.html

    Imhotep
     
    imhotep, Sep 24, 2006
    #12
  13. [snip]

    Workaround:
    regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
    I've done that and tested successfully (see below).

    A non-Microsoft fix: <http://isotf.org/zert/download.htm>.

    To test, see (at your own risk) <http://www.isotf.org/zert/testvml.htm>.
     
    Michael Bednarek, Sep 24, 2006
    #13
  14. imhotep

    Ian Guest

    Think we'll only achieve secure computing when C is dropped in favour of a
    better language. The list of buffer-overflow exploits in every single major
    software-package gets monotonous.

    After all, nobody ever got prosecuted for 'Not realising that guy was going
    to do something silly.' But people do get prosecuted for driving cars with no
    brakes.
     
    Ian, Sep 24, 2006
    #14
  15. I assure you, a crap load of people will NOT be infected by this or any
    other IE vuln in the future. IE vulns just don't do that.
    No.
     
    Karl Levinson, mvp, Sep 24, 2006
    #15
  16. If the average user is running McAfee, Trend Micro, Microsoft Windows
    Defender or Bit Defender with current definitions, the VML exploit would
    have been blocked, correct? Symantec also appears to detect this as
    Bloodhound.Exploit.78 with heuristics enabled. I'm guessing the fact that
    this isn't a signature caused the scan below to report Symantec as showing
    "no virus found."
     
    Karl Levinson, mvp, Sep 24, 2006
    #16
  17. If you feel so , then start a thread on that
    Do not try to take a thread on a specific threat OT

    ra
     
    Roger Abell [MVP], Sep 24, 2006
    #17
  18. From: "Karl Levinson, mvp" <>


    |
    | If the average user is running McAfee, Trend Micro, Microsoft Windows
    | Defender or Bit Defender with current definitions, the VML exploit would
    | have been blocked, correct? Symantec also appears to detect this as
    | Bloodhound.Exploit.78 with heuristics enabled. I'm guessing the fact that
    | this isn't a signature caused the scan below to report Symantec as showing
    | "no virus found."
    |

    Correct and that is why I posted what AV companies recognize this variant of exploit code.

    However, AVG, Avast and AntiVir, the freebies many homeusers use, fail to detect this
    variant.

    I submitted variants to a broad distribution list of anti malware vendors.

    Symantec has not reported back on the submission -- yet.
     
    David H. Lipman, Sep 24, 2006
    #18
  19. Or as indicated in earlier thread

    see
    Vulnerability in Vector Markup Language Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/925568.mspx

    or for GPO based fis
    http://msinfluentials.com/blogs/jesper/archive/2006/09/19/Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
    i.e. http://tinyurl.com/mtcbd
    or Jesper's more recent blog post on the matter.
     
    Roger Abell [MVP], Sep 24, 2006
    #19
  20. He's probably using some crappy open source newsreader. ;D
     
    Karl Levinson, mvp, Sep 24, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.