* A Critical IE Patch Released / Why the Internet is Like an Elephant

Published: 2004-07-30
Last Updated: 2004-07-30 18:39:30 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Microsoft Releases a Critical Patch for Internet Explorer

Today Microsoft released a patch to Internet Explorer that addresses critical vulnerabilities that may allow malicious sites to run arbitrary code on unpatched systems. These vulnerabilities have been known for some time. One of them was being actively exploited by the Scob/Ject attack that we described in:

Considering the severity of these vulnerabilities, we recommend installing this patch as soon as possible, and hope that you have a chance to consider this security bulletin before heading home for the weekend:

The following break-down of the vulnerabilities addressed by this security update is based on CVE database entries ( http://www.cve.mitre.org ):

CAN-2004-0549: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.

CAN-2004-0566: Integer signedness error in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.

CAN-2003-1048: mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code due to a malformed GIF image that triggers a buffer overflow.

Why the Internet is Like an Elephant (Personal Ramblings of a Handler)

Keep an eye on the information you make publicly available on the Internet. Usenet messages that describe your network in a firewall configuration question, job posts with position requirements that reveal the research your organization is doing, personal home pages with data that can be used to impersonate you or your friends... These tid-bids of information easily slip through our mental safety filters, but can come to haunt us years after they were posted on the Net.

Traditional search engines are quite effective at aiding attackers in finding such historical information. Furthermore, data processing services such as Eliyon allow anyone who can type to profile an individual or a company using publicly available information in no time:

Eliyon is an interesting service because it uses clever techniques for parsing Web pages to automatically build a profile about a person, as well as about companies affiliated with the person. Eliyon, much like Google, keeps a cache of relevant Web pages, making the information available even after the original source disappears.

Also, consider the wealth of information that an attacker can gather by tapping into social networking sites such as Friendster and Orkut, either manually, or with the aid of automated data collection tools. Social networking sites have a small neighborhood feel that makes the participants comfortable with revealing lots of personal data. After all, the more information one reveals, the greater the likelihood that someone will find his or her profile attractive for a job or a companionship offer. All in all, this is a social engineer's goldmine.

I'm not advocating information-release paranoia, but I do suggest considering long-term effects of the data you make publicly available about yourself, your friends, or your company. Remember that the Internet, much like an elephant, never forgets.

Lenny Zeltser

ISC Handler on Duty

0 comment(s)


Diary Archives