IE

News of the unpatched PowerPoint vulnerability (via eWeek) comes after a summer-long struggle to contain vulnerabilities in Microsoft Office, the office suite that maintains a venerable monopoly in the market.  As with previous PowerPoint exploits, this one uses a rigged PowerPoint file to install a backdoor application.  I found some additional information available from Symantec; read that here.

Similarly, another exploit has surfaced for Internet Explorer.  This exploit takes advantage of a flaw that was supposedly brought to Microsoft’s attention back in July and apparently still remains unpatched.  Fortunately, additional information on the IE vulnerability is available; here are some relevant links:

SecurityFocus:  Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability
osvdb:  Microsoft IE WebViewFolderIcon setSlice Overflow

No word yet on any workarounds for this vulnerability or the published exploit.

Finally, in slightly related news…a couple of days ago Microsoft released an out-of-band patch (MS06-055) for the VML vulnerability I mentioned last week.  As usual, it’s available via Windows Update, WSUS, and various other distribution mechanisms.

Taken from this Dark Reading article, here are a few ways to protect yourself from the VML vulnerability:

• Unregister the VML DLL (VGX.DLL, found in Program Files\Common Files\Microsoft Shared) using regsvr32.exe.
• Apply a restrictive access control list (ACL) to the VGX.DLL file.  This weblog entry shows how to help automate this using Group Policy for larger organizations (very handy!).
• Disable “Binary and Script Behaviors” in Internet Explorer 6.  Unfortunately, this measure may only be temporary, as the exploit is moving beyond its original JavaScript-based incarnation (see below).
• Switch to an alternate browser or use a virtual browser appliance.

In case you’re wondering why it might be important to protect yourself against this vulnerability, take a look at this article describing the scope of the attacks.  As many as 10,000 web sites could end up hosting exploit code to take advantage of this vulnerability, and researchers are predicting that an e-mail variation may soon follow.

You can obtain additional information about this vulnerability and the corresponding exploit(s) at the following links:

Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability
http://www.symantec.com/enterprise/security_response/vulnerability.jsp?bid=20096

Trojan.Vimalov: A zero-day exploit in VML, in Internet Explorer
http://www.symantec.com/enterprise/security_response/weblog/2006/09/ trojanvimalov_a_zeroday_exploi.html

Exploit-VMLFill
http://vil.nai.com/vil/content/v_140629.htm

Microsoft Internet Explorer Vector Markup Language 0-Day
http://vil.nai.com/vil/Content/v_vul26881.htm

Enterprises that don’t want to deploy Group Policy but still want to protect themselves against the vulnerability can use WMIC to remotely run the regsvr32.exe command against remote computers.  Of course, this disables VML functionality, but how many enterprises out there actually use VML?  Here’s the general command:

wmic /node:<PC name> process call create
'regsvr32.exe /u “%CommonProgramFiles%\Microsoft Shared\VGX\VGX.DLL”'

As I’ve mentioned before, you could substitute a text file for the PC name above and WMIC will iterate through the list, performing the same task on each PC in the list.  To re-enable VML functionality, you could use the same process but remove the “/u” switch from the regsvr32.exe command.

UPDATE:  More resources have come to light regarding this VML vulnerability:

Zero-Day Response Team Launches with Emergency IE Patch
Internet Explorer Bug Can Be Exploited Via Email
More Defensive Tactics Against IE’s Newest Vuln

First up was this alert from eWeek that exploit code had been posted for a previously unknown code execution hole in Internet Explorer.  This article came on September 14, about 5 days ago.

On that same day Microsoft published this security bulletin, which describes an issue with the DirectAnimation Path ActiveX control.  Although it’s not immediately apparent whether this security bulletin is related to the exploit code described in the eWeek article, a review of the CVE listing provides enough information to believe that the exploit described by eWeek does, in fact, use the vulnerability described by Microsoft in their security bulletin.

This Dark Reading article also describes the same vulnerability and the related exploit, and was published yesterday, Monday, September 18.

Also yesterday, eWeek reported zero-day IE attacks spotted in the wild, but these attacks do not appear to be related to the exploit discovered last week and instead appear to be new attacks.  Although specific vulnerability information was not available in that article, a quick trip to the Sunbelt weblog provided some additional information that indicates these are new attacks against a new vulnerability that remains unpatched by Microsoft.  No formal word from Microsoft yet, but I expect we’ll probably see a security bulletin in the next few days.

In the meantime, protect yourself against these attacks by following the workarounds suggested in the Microsoft security bulletin (for the ActiveX control exploit).  Alternately, you can switch to Mozilla Firefox or (for those of you that are technically inclined) build yourself a web sandbox using VMware Workstation and undoable disks (sort of like the Browser Appliance, but using Windows instead for greater compatibility with those sites designed for Internet Explorer).

UPDATE:  As I predicted earlier today when I first posted this article, Microsoft has indeed published a security bulletin regarding the VML vulnerability I described above as discovered by Sunbelt Software.  The MSRC blog posting announcing the bulletin credits ISS as assisting in the confirmation of the vulnerability.

In addition to the announcement of a new “trojan horse” for Mac OS X, a couple new flaws were uncovered and disclosed for Internet Explorer in the last few days as well.

According to eWeek, a security researcher has uncovered two new flaws for Internet Explorer.  I have not been able to locate any additional details on the more critical of the two flaws, but the lesser flaw has a Secunia advisory posted.

If you use Internet Explorer, exercise caution.  Better yet, switch to Firefox.

I hope Microsoft Vista is going to address the malware problem that is plaguing Windows users worldwide right now.  Even Microsoft knows it’s bad.  How bad?  Read on.

In this article from eWeek, Mike Danseglio, a program manager in the Security Solutions group at Microsoft, is quoted as saying:

“When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit…”

Doesn’t this say something?  If a program manager at Microsoft says what everybody else already knows, then even Microsoft has gotten to the point where they’re admitting that Windows has a problem.

This related article, published in early December 2005, notes that as much as 20% of all malware removed from Windows XP SP2 systems are considered stealth rootkits.  Considering that some of the Internet Explorer security flaws have allowed malware to be installed by simply visiting a web site, that’s pretty serious.

Microsoft has taken an excellent first step in Vista by making sure that the browser runs in a reduced-privileges environment.  Let’s hope they don’t stop there.

A couple of articles are highlighting a recently uncovered security flaw in Microsoft Internet Explorer–this article from eWeek and this article from ComputerWorld, both of which reference this security advisory from Microsoft.

The fix is to set the Security Level for the Internet Zone to High, which disables the functionality required for the exploit to work.  Unfortunately, it also disables a lot of other things that non-malicious sites use, so this workaround will affect your ordinary browsing experience.

My recommendation is to switch to Mozilla Firefox.  While Firefox was shown to be vulnerable to a recent spoofing flaw (this flaw also affected IE, Safari, Camino, etc.), it’s still better than IE’s security record.  And, yes, for those of you out there who are yelling at your computer screens right now:  I know that you probably believe that Firefox is only more secure because there are fewer people using it.  Perhaps that’s true, but the end result is that it’s more secure.  Isn’t that what we are seeking to achieve?