PDA

View Full Version : MS IE VML 0-day exploit "mushrooming" in the wild


davidh
September 25th, 2006, 12:21 AM
Third-Party Patch Out For IE's VML Bug
InformationWeek - Sep 22, 2006
Sep 22, 2006 03:42 PM

A group of security researchers on Friday posted an unsanctioned patch for the Internet Explorer VML bug, putting more pressure on Microsoft to push its own fix to users before its next scheduled update on Oct. 10.

"VML attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of iDefense's rapid response team, in an e-mail to TechWeb. "At least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains to redirect users to a hostile VML exploiting site," Dunham continued.

If I read this right it says:

The index file at a server farm was corrupted by attacks from exploits of this bug so that when you go to the main page of any of the affected 500 sites hosted on the server farm then you will be immediately redirected to a site which will compromise your vulnerable MS IE browser so that your vulnerable Windows PC will be infected and/or controlled by the attacker, WITH NO ADDITIONAL USER ACTION REQUIRED. I.e. one unlucky click and you are a victim.

http://www.informationweek.com/news/showArticle.jhtml?articleID=193004898

DH

davidh
September 25th, 2006, 12:36 AM
The good old days: you had to put an infected disk in your computer to hose it.

Today the majority of households and businesses now have a neon sign (IE) out front flashing "Welcome to the Russian Mafia" :(

DH

Judy G. Russell
September 25th, 2006, 06:16 PM
I.e. one unlucky click and you are a victim.Ouch... That hurts...

davidh
September 26th, 2006, 12:22 AM
Third-Party Patch Out For IE's VML Bug
InformationWeek - Sep 22, 2006
Sep 22, 2006 03:42 PM

http://www.informationweek.com/news/showArticle.jhtml?articleID=193004898
Actions
We suggest following actions (do them all: a layered approach will work when one of the measures fails):

* Update your antivirus software, make sure your vendor has protection for it (*).
* Unregister the vulnerable dll (**):

regsvr32 /u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

And reboot the machine to make sure all in memory copies are gone as well.

* Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.

Reregistering a DLL (which you might want to do after an official patch is released) is done with the same command as unregistration, but without the "/u".

http://isc.sans.org/diary.php?storyid=1727

DH

davidh
September 26th, 2006, 12:34 AM
If I read this right it says:

The index file at a server farm was corrupted by attacks from exploits of this bug so that when you go to the main page of any of the affected 500 sites hosted on the server farm then you will be immediately redirected to a site which will compromise your vulnerable MS IE browser so that your vulnerable Windows PC will be infected and/or controlled by the attacker, WITH NO ADDITIONAL USER ACTION REQUIRED. I.e. one unlucky click and you are a victim.

http://www.informationweek.com/news/showArticle.jhtml?articleID=193004898

DH

Security: The Final ISP Frontier
By Larry Seltzer
September 25, 2006

Opinion: These are the errors of the ISP market. Its 15-year failure to protect its customers. Is a secure ISP network science fiction?

...

But this week Trend Micro is releasing its ICSS (InterCloud Security Service), a first step toward helping ISPs and some other large network providers, like universities, to make their networks safer.

ICSS replaces the existing recursive DNS in the network and uses that position to monitor activity looking for suspicious acts, especially those indicative of botnets.

...

http://www.eweek.com/article2/0,1759,2020286,00.asp?kc=EWRSS03129TX1K0000614

DH

davidh
September 26th, 2006, 12:38 AM
I'm not sure, but it sounds to me like there are two separate issues:

1. MS IE VML bug vulnerability

2. botnet attacks on some vulnerability of DNS servers?

DH

Judy G. Russell
September 26th, 2006, 01:27 PM
As soon as you figure it out, lemme know...

davidh
September 26th, 2006, 04:44 PM
As soon as you figure it out, lemme know...

You'll probably have to wait a long time.

Anyway, I did make at least one error. The index files that the botnets attack are on the webservers and not on the DNS servers.

Since the VML bug exploits attack a MS IE vulnerability, I still don't see a direct relationship between the VML exploits and http servers' index files hacking. Unless the servers are Windows servers and unless the vulnerable MS IE DLL is somehow running on the server, plus other preconditions, etc.

Personally, I have not done any workarounds, since I only rarely use MS IE and even then use McAfee Siteadvisor BHO (obviously not the FF extension).

DH

davidh
September 26th, 2006, 08:11 PM
Microsoft has just released an update to address the VML (VGX) issue

The update can currently be found on Microsoft Update and is titled
Security Update for Windows XP (KB925486)
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

Judy G. Russell
September 26th, 2006, 10:59 PM
I only rarely use MS IE Ditto. In spades.

davidh
September 27th, 2006, 03:03 AM
As soon as you figure it out, lemme know...

"HostGator, an ISP based in Houston, said VML attackers compromised its servers via an unrelated zero-day flaw in the cPanel control panel software distributed with hosting accounts and redirected legitimate Web sites to malicious pages hosting VML exploits.

eWEEK.com Special Report: Keeping Pace with Microsoft's Patches

The exploits then dumped massive amounts of spyware, Trojans, bots and rootkits onto vulnerable Windows machines.

Ken Dunham, director of iDefense's rapid response team, said the exploit sites were using the WebAttacker tool kit to plant malicious code on machines with Windows XP SP2 and older versions of the operating system.

PointerFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

Thompson said it's na´ve to think that the attackers only hit the malicious sites discovered by virus research firms. "They used two zero-day flaws on disparate operating systems, and that takes some careful planning," he said. "

http://www.eweek.com/article2/0,1759,2020889,00.asp?kc=EWRSS03129TX1K0000614

If you follow Internet Storm Center, most of the vulnerabilities found are in commercial software on the server side. So there must be a lot of opportunities for the mafias to beat us up with such one-two punches.

Firefox is having a lot of security flaws too, so keep Firefox on automatic update and check for FF updates MANUALLY too.

DH

Judy G. Russell
September 27th, 2006, 02:38 PM
The exploits then dumped massive amounts of spyware, Trojans, bots and rootkits onto vulnerable Windows machines.Oh isn't THAT fun...

davidh
September 29th, 2006, 03:21 AM
Unsupported patch for unsupported Windows systems.

http://isotf.org/zert/

I patched IE 6 on Win 98.

No news is good news. Knock on wood.

DH