Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096)

Published: 2011-01-27
Last Updated: 2011-01-28 18:47:54 UTC
by Robert Danford (Version: 1)
5 comment(s)

www.microsoft.com/technet/security/advisory/2501696.mspx

Information on this vulnerability first started surfacing on Full-Disclosure on 1/15/2011.The vulnerability exists in all supported versions of MS Windows except for 2008 with server core. Other installed applications (Adobe Reader, etc) may be leveraged locally via Internet Explorer (including Outlook, etc.)

There appears to be a myriad of ways it can be leveraged and a lot of thought and creativity is being poured into that. So now would be a good time to: test and consider the registry workaround (see advisory); to review group policies for zone settings for Internet Explorer; and to review detection options for email gateways and proxies/NIDS/etc.

From the advisory:

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user."

A release date for a fix has not been posted yet.

Relevant/Interesting Links:

Enhanced Security Configuration
http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx

MHTML Info
http://msdn.microsoft.com/en-us/library/aa767916(v=vs.85).aspx

Server Core
http://technet.microsoft.com/en-us/library/ee441255(WS.10).aspx

CVE-2011-0096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096

Advisory
http://www.microsoft.com/technet/security/advisory/2501696.mspx

If you come across any attacks targeting this vulnerability, please upload any details you have (pcap, samples, urls, etc)
via our contact form and we'll review them, share with the community (if you permit us), and post updates to the diary.

Thanks,

Robert Danford

5 comment(s)

ISC DHCP DHCPv6 Vulnerability

Published: 2011-01-27
Last Updated: 2011-01-27 23:43:43 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

The Internet Systems Consortium, the makers of the open source DHCP server, indicated the DHCPv6 service may crash after processing a DHCPv6 decline message. This vulnerability has been assigned CVE 2011-0413 and affect version 4.0.x-4.2.x and maybe remotely exploitable.

Note: This DoS only affects DHCPv6 servers and there is currently no workaround.
 

[1] https://lists.isc.org/pipermail/isc-os-security/2011-January/000000.html

[2] http://www.kb.cert.org/vuls/id/686084

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: DHCPv6 DoS
2 comment(s)

Opera Updates

Published: 2011-01-27
Last Updated: 2011-01-27 12:48:07 UTC
by Chris Carboni (Version: 1)
0 comment(s)

We've had a few reports (thank you all) that Opera has been updated to 11.01 and fixes several security issues.

Full details are available here

 

Christopher Carboni - Handler On Duty

Keywords: browser opera update
0 comment(s)
Diary Archives