Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-11-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IE unspecified remote code execution vulnerability

Published: 2006-11-01
Last Updated: 2006-11-02 14:21:35 UTC
by John Bambenek (Version: 1)
0 comment(s)
Bugtaq has a report of an unspecified remote code execution vulnerability for IE 6 (it doesn't say IE 7 is *not* vulnerable, it doesn't say anything). The post is complete with proof-of-concept code.  The vulnerability would allow an attacker to run code with the permissions of the user running IE. There is a 4 page paper in PDF format that discusses the bug.  At this point I haven't seen any other advisories.  More information when we have it.

UPDATE:
Cisco (??) has an advisory out on this one.  They state it is anything IE 6 SP2 and before, which I read to imply IE 7 is fine.  More specific info is included here. The problem exists with WScript.Shell which allows malicious JavaScript to do some nastiness to your machine.  Long and short, it could be ugly, it might not be.  More info is needed.  But it's another exploit that requires bringing the victim to the exploit.

UPDATE 2:
This is actually code to do the same thing as CVE 2006-4704, i.e. exploit the same bug, so it's not all the new.
--
John Bambenek
bambenek /at/ gmail (dot) com
Keywords:
0 comment(s)

Visual Studio 2005 Remote Code Exploit, Actively Being Exploited

Published: 2006-11-01
Last Updated: 2006-11-01 20:45:19 UTC
by John Bambenek (Version: 1)
0 comment(s)
Microsoft has issued an advisory on a remote code exploit in Visual Studio 2005 (CVE 2006-4704) in the WMI Object Broker control. The vulnerability can be exploited by getting the user to view a malicious web page with the exploit and it will allow an attacker to take full control of the system. Currently users running Windows 2003 with Enhanced Security Mode in the default configuration are not affected.  Also, users running IE 7 are not affected (as long as they do not opt-in to the particular ActiveX control).

There is also a kill bit that can be set to stop this vulnerability (place the following in a .reg file and apply it):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}]
"Compatibility Flags"=dword:00000400

This vulnerability is being **actively exploited**.  The advisory states that Microsoft is planning an update for this problem and it should go out in the next monthly patch cycle.

UPDATE: CERT has a notice up also.

--
John Bambenek
bambenek /at/ gmail (dot) com
Keywords:
0 comment(s)

Remote DoS in Firefox 1.5.0.7 and Firefox 2

Published: 2006-11-01
Last Updated: 2006-11-01 04:54:03 UTC
by John Bambenek (Version: 1)
0 comment(s)
There is a new advisory out that indicates there is a remote denial of service exploit in Firefox 1.5.0.7 and Firefox 2.  The original post indicated that there could be a buffer overflow and remote code execution component, but as of 10/31 this has not been verified. This exploit will occur when a specifically crafted webpage tries to create a range object with "createRange". So far it will only make the browser crash.  If new information is made available, we will post updates.

---
John Bambenek
bambenek /at/ gmail (dot) com
Keywords:
0 comment(s)
Diary Archives