Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Tuesday, July 7, 2009

Microsoft IE 0day ...Not again !?

Sad, but true. Once again MS Internet Explorer users have to run around hiding from the MPEG2 ActiveX exploit that is lurking around exploiting this new vulnerability in "msvidctl.dll". And there is still no patch available for this critical vulnerability. I think, looking at the licensing costs, Micro$oft products should come with some sort of SLA when we buy them, like maybe fixing critical vulnerability within a day or something like that. I mean its ridiculous that its been more than 48 hrs that the exploit for this vulnerability is actively being hosted on literally thousands of websites and we still don't have a patch for it !

Anyways, the vulnerability is pretty interesting in itself. I mean, its not the standard ActiveX kind of vulnerability where you just overflow some parameters inside a function to pwn the SEH. The exploit requires some kind of a GIF file to successfully execute shellcode. Well, not a GIF file as such, but a specially crafted image file - the extension could be anything. This along with the ActiveX control together causes the overflow and SEH overwrite. In fact, the SEH is overwritten by the contents of the image file.

Currently, there are websites hosting this malicious html page. Innocent users are lurked into browsing these websites by some sort of link sent in a mail or via XSS or by social networking sites. Once the user lands on this malicious website, a downloader is executed on users machine as a part of shellcode within the exploit. This further opens up the machine for a host of different malware infections. The exploit for this has been partially published on the internet. Now, it won't be long before we start seeing another flurry of malware distribution being done using this technique.

So, as we wait for our dear Mr.Gates to release a fix for this, I suggest you keep away from those silly mails that ask you to click on some weird link or links that you receive on social networking sites like Facebook/Orkut/Twitter. Now-a-days these so called social networking sites are gaining so much popularity, that attackers have also started targeting these websites first. Also, as a workaround I would suggest to set the kill bit for this ActiveX control (which is a way of preventing vulnerable ActiveX controls from executing inside the browser). You can find more information on that in the Microsoft knowledge base.

As for the Microsoft advisory (whats the point of having one if there is no solution !) you can read it here.

Be careful and browse safe !

No comments:

Post a Comment