Last Updated: 2006-03-25 00:22:09 UTC
by Jim Clausing (Version: 3)
Update: At the urging of Handler Extraordinaire Kyle Haugsness, I tested the sploit on a box with software-based DEP and DropMyRights... here are the results:
Software-based DEP protecting core Windows programs: sploit worked
Software-based DEP protecting all programs: sploit worked
DropMyRights, config'ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
Active Scripting Disabled: sploit failed
So, go with the last one, if you are concerned. By the way, you should be concerned.
Previous Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's "Site rank".
The Bleedingsnort rule has been updated. It has been tested against that particular version of the exploit and works for it. For details, see this set of rules (last one is the 'createTextRange' rule).
Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive). For that reason, we're raising Infocon to yellow for the next 24 hours.
Workarounds/mitigationMicrosoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.
One of our readers asked whether DropMyRights from Microsoft would provide any protection. We haven't had an opportunity to test that out. (Update: We have now tested it... see above update --skoudis).
I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.
ReferencesOriginal Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
Jim Clausing, jclausing --at-- isc.sans.org