Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seen In The Wild: Zero Day Exploit Being Used To Infect Pcs


  • Please log in to reply
17 replies to this topic

#1 no one

no one

  • Members
  • 843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PCLinuxOS Land
  • Local time:06:58 AM

Posted 19 September 2006 - 10:53 AM

Our security research team has observed a new zero day exploit being used to infect systems. Coming from a porn website, this particular one is a vulnerability in VML inside of Internet Explorer.

The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.
http://sunbeltblog.blogspot.com/2006/09/se...loit-being.html


Big surprise this starting at a pron site , I'm sure it will make it to "normal" sites soon enough though
if your not selective about what sites you allow JavaScript to run on , now would be a good time to start.

"Not everything that counts can be counted, and not everything that can be counted counts."

"Whoever fights monsters should see to it that in the process he does not become a monster"

Posted Image


BC AdBot (Login to Remove)

 


#2 Security Geek

Security Geek

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 20 September 2006 - 12:45 AM

In what may turn in to something as big as the WMF exploit Microsoft has issued Microsoft Security Advisory (925568) for a "VML Buffer Overflow" that can "Allow Remote Code Execution". This exploit apparently affects Windows XP/2003, Internet Explorer 6, Outlook 2002, and Outlook Express 6 (and probably some unsupported versions of these applications as well). MS has issued workarounds but they are not for the feint of heart, a possible indication of how serious this is.

If this vulnerability can be exploited through email (eg; Spam) we're going big time on this one real quick. I have posted links to several advisories at the NIST.org Advisory and will continue to provide updates. If you have a small screen device with an Internet connection (eg; Blackberry, Smartphone, etc) you can tune in to 'nist.org/small' for updates from NIST.org, SANS.org and FIRST.org (and I may add others as this progresses).

Until this gets worked out be VERY suspicious of any unsolicited email (more so than normal). Simply viewing (or even previewing) an infected message may get you in trouble (btw: some sources are saying this exploit can take many forms so antivirus programs may have problems keeping up).

Update (things are coming in really fast on this) ISS has confirmed that this can be spread via eMail. "An attacker could also send out maliciously crafted HTML emails, which will be able to execute arbitrary code on the victim's machine when viewed with recent versions of Outlook or Outlook Express." A Spammers / Hackers delight.

(please comment here at BleepingComputer.com)

John at
http://NIST.org

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 20 September 2006 - 07:13 AM

...Like the WMF exploit it is advised to unregister the susceptible dll from the system as a workaround for the vulnerability.

f-secure.com/weblog

...A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs...

Microsoft Security Advisory (925568)

US Cert has posted Vulnerability Note VU#416092
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:06:58 AM

Posted 20 September 2006 - 10:35 AM

Two vulnerabilites in IE in less than a week!
In addition to being wary, as always, of suspicious E-mails, using alternative browsers is certainly a prudent decision.

ZDNet has noted instructions to disable VML rendering:

"...users will need to issue a command to disable VML rendering until the official patch comes out. The commands are:
Disable VML
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

Enable VML
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll

To execute these commands, simply hit the "Start" button and click "Run". Cut-paste the disable VML command in to the line and click ok. You will get a "RegSvr32" popup notice that says DllUnregisterServer in … succeeded. Once the patch is available and you've applied it, repeat the process with the enable VML command." (Emphasis mine)

http://blogs.zdnet.com/Ou/index.php?p=323

Regards,
John

Edited by jgweed, 20 September 2006 - 10:37 AM.

Whereof one cannot speak, thereof one should be silent.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 20 September 2006 - 11:37 AM

...Although the first version results in a denial of service and not escalated privileges, we expect to see public posts of exploit code that does allows a user to run code without user-interaction. This may result in increased attacks...

websense.com/securitylabs
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:58 AM

Posted 20 September 2006 - 04:51 PM

http://www.techweb.com/wire/security/19300...LOSKH0CJUNN2JVN

Use Group Policy to propagate .dll disabling: Microsoft's workarounds don't include this time saver, but an independent researcher has posted templates for creating a pair of Group Policy objects that disable (or undo that) for all users of a Windows domain.

For the details, head to Jesper Johansson's blog, here.

Disable Binary and Script Behaviors in IE 6: Another purely defensive move recommended by Microsoft is to turn off this scripting feature within the browser. Note, however, that this only protects against the currently-known exploit, which could, of course, morph into something else entirely.

-- Select Tools|Internet Options in IE

-- Click the "Security" tab

-- Click "Internet," then "Custom Level"

-- In the "ActiveX controls and plug-ins" section, under "Binary and Script Behaviors," click "Disable," and then click OK.

Repeat the last step above, but in the "Local intranet" zone.

Use another browser: Several security researchers and organizations have recommended dumping IE 6 in similar zero-day situations, and this was no different.

"One of the easiest ways might be to use Firefox with a plug-in to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences," said the Internet Storm Center in an online alert Wednesday.

Two such plug-ins (called "extensions" in Firefox parlance) that add IE functionality to Firefox are IE Tab and IE View.

In this case, "another browser" can also mean Internet Explorer 7, which is currently in Release Candidate 1. According to a Microsoft spokesman late Tuesday, IE 7 is not vulnerable to the VML bug.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 22 September 2006 - 06:26 AM

Zero-Day Update: Important Update on VML Exploit

...Websense Security Labs honey clients are currently scanning 80 + million websites per day to help discover sites that are distributing the zero-day code and/or are linked to sites that are. We are starting to see increased activity...In addition, reports out of Australia CERT...are that attacks are surfacing through emails with URL lures...we have some examples of sites that are distributing the code..

websense.com/securitylabs
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Security Geek

Security Geek

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 22 September 2006 - 07:00 AM

Currently what they're seeing are 'leaders', email messages trying to socially engineer (trick) people in to visiting an infected site. Yet to come are actual email messages with the payload. Those email messages only have to be viewed, or even previewed, to infect a computer. It is also believed that the exploit will be combined with an email worm to help spread the infection (eg; mail its self to everyone in your address book or anyone you've ever communicated with). This will greatly increase the acceptance rate of infected email message. eg; the worm, once installed, may reply to every message in your sent folder (or every folder). That reply will contain the same subject line (with RE: appended) and appear to come from you. The likelihood of the recipient opening such a mail message is extremely high. Those mail message will of course contain the exploit. Rinse, lather, repeat.

Run the vgx.dll unregister now. The chances of you missing that functionality are very remote and the process is easy to undo. Instructions and frequent situational updates can be found at the NIST.org bulletin. If you are part of an incident response team (or even if you aren't) and have a Blackberry or Smartphone you can tune in to 'nist.org/small' from your handheld. It contains our alerts, as well as alerts from SANS.org and FIRST.org (Forum of Incident Response and Security Teams). (those alerts are also running on the full screen site). If you're part of a CIRT you're going to need to monitor this situation very close.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 22 September 2006 - 01:10 PM

Yellow: MSIE VML exploit spreading (NEW)
Published: 2006-09-22,
Last Updated: 2006-09-22 15:35:09 UTC

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.


http://isc.sans.org/diary.php?storyid=1727

Zero-Day Response Team Launches with Emergency IE Patch

Also see Grinler's How To Protect Yourself From The Vector Markup Language (vml) Exploit

Edited by quietman7, 22 September 2006 - 01:19 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 22 September 2006 - 03:59 PM

...Pressure on Microsoft to fix the flaw may be mounting...Part of their concern is that the exploit may quickly move to e-mail, with spam-style attacks compromising PCs as soon as the recipient views an infected message in an HTML preview pane...An e-mailed attack is dangerous because it requires no out-of-the-ordinary user action..."If you see a message in the Preview Pane or double click it, a well-crafted exploit will crash Outlook. You won't see any error message." As soon as that happens, the attacker can begin loading a user's PC with adware, spyware, and other malicious code...installing the ZERT patch may be a risky move, concluded Sites. "The problem is that you'll never know if it works in all situations...However, Sites expects that Microsoft will go out-of-cycle with a fix if the situation worsens...

techweb.com
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 23 September 2006 - 06:45 AM

Microsoft Security Advisory (925568)
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
Published: September 19, 2006 | Updated: September 22, 2006

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

http://www.microsoft.com/technet/security/...ory/925568.mspx
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 25 September 2006 - 07:04 AM

VML exploits with OS version detection
Published: 2006-09-24,
Last Updated: 2006-09-24 20:46:46 UTC by Daniel Wesemann (Version: 1)

We are seeing samples of the VML exploit that are coded to include browser / OS detection, and are able to trigger working exploits for Win 2000, 2003 and XP. Some reports indicate that client-side anti-virus is not sufficient to protect, some AV apparently only catches the VML exploit code once Internet Explorer writes the temp file to disk, which can be too late...

http://isc.sans.org/diary.php?storyid=1733
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 25 September 2006 - 04:31 PM

We are starting to see mass mailing lures for websites that are hosting VML exploit code. Most of the sites are using updated Web-Attacker code.

Screenshots available at websense.com/securitylabs
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 no one

no one
  • Topic Starter

  • Members
  • 843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PCLinuxOS Land
  • Local time:06:58 AM

Posted 26 September 2006 - 09:09 AM

Tag-team attack exploits IE flaw
Robert Lemos, SecurityFocus 2006-09-25
For HostGator, the issue seemed to defy defensive measures. The company found rogue code on its servers and removed the programs, only to have the attack code resurface.
“ The person or group that did this is very intelligent, and obviously knows how to plan a big attack. While we are protected from this threat, we cannot predict what's to come for HostGator and the industry. Nobody can. ”

Brent Oxley, owner, HostGator
http://www.securityfocus.com/news/11415


"Not everything that counts can be counted, and not everything that can be counted counts."

"Whoever fights monsters should see to it that in the process he does not become a monster"

Posted Image


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:58 AM

Posted 26 September 2006 - 04:26 PM

Microsoft Security Advisory (925568)
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
Published: September 19, 2006 | Updated: September 26, 2006

We have issued MS06-055 to address this issue. For more information about this issue, including download links for an available security update...

http://www.microsoft.com/technet/security/...ory/925568.mspx

Microsoft Security Bulletin MS06-055
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
Updated: September 26, 2006

Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately

http://www.microsoft.com/technet/security/...n/ms06-055.mspx
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users