Jump to content


Photo

IE "createTextRange()" vuln


  • Please log in to reply
19 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 March 2006 - 12:48 PM

FYI...

- http://secunia.com/advisories/18680/
Release Date: 2006-03-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
...Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview. Other versions may also be affected.
Solution:
Do not visit untrusted web sites.
NOTE: The vendor is currently working on a patch..."

:huh:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 March 2006 - 01:55 PM

FYI...

- http://isc.sans.org/...hp?storyid=1209
Last Updated: 2006-03-22 19:30:08 UTC
"...'This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.' In simpler terms, its a heap overflow just waiting to happen. I doubt will have to wait long for exploit code to be published. There are no security workarounds at this time. We will keep you posted if we find out any additional information..."

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 March 2006 - 02:37 AM

Update:

- http://secunia.com/advisories/18680/
Last Update: 2006-03-23
Critical: Highly critical ...
Solution:
Disable Active Scripting support.
NOTE: The vendor is currently working on a patch...
Changelog:
2006-03-23: Added link to US-CERT vulnerability note. Added link to Microsoft Security Response Center Blog. Updated "Solution" section.
Original Advisory:
Microsoft Security Response Center Blog:
http://blogs.technet.../22/422849.aspx
Other References:
US-CERT VU#876678:
http://www.kb.cert.org/vuls/id/876678 ..."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 March 2006 - 03:18 PM

FYI...

IE exploit on the loose... InfoCon to Yellow
- http://isc.sans.org/...hp?storyid=1212
Last Updated: 2006-03-23 20:55:28 UTC
"...it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive... For that reason, we're raising Infocon to yellow for the next 24 hours.
Workarounds/mitigation
Microsoft has posted this* and suggests that turning off Active Scripting will prevent this exploit from working. You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are..."

* http://blogs.technet.../22/422849.aspx
"...if you turn off Active Scripting, that will prevent the attack as this requires script. Customers who use supported versions of Outlook or Outlook Express aren’t at risk from the email vector since script doesn’t render in mail (being read in the restricted sites zone)..."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 March 2006 - 08:11 PM

FYI... albeit late, and according to the Advisory, they "are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time"... 'Must be tough to see out of that Glass House:

Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
- http://www.microsoft...ory/917077.mspx
March 23, 2006 ..."


:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 March 2006 - 09:24 AM

FYI...

- http://secunia.com/advisories/18680/
Last Update: 2006-03-24
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status:Unpatched
Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.x ...

...NOTE: Exploit code is publicly available...
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected...

- http://secunia.com/s...006-7/advisory/
"...Time Table
10/02/2006 - Vulnerability discovered.
13/02/2006 - Vendor notified.
21/02/2006 - Vendor confirms vulnerability.
22/03/2006 - Vulnerability reported to public mailing lists by third-party.
23/03/2006 - Public disclosure..."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 March 2006 - 12:27 PM

FYI...

- http://isc.sans.org/...hp?storyid=1212
Last Updated: 2006-03-24 17:46:38 UTC
"Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's 'Site rank'..."

EDIT/ADD:
- http://isc.sans.org/...=1&storyid=1212
Last Updated: 2006-03-24 18:29:57 UTC
"...The Bleedingsnort rule has been updated. It has been tested against that particular version of the exploit and works for it. For details, see this set of rules* (last one is the 'createTextRange' rule)..."

* http://www.bleedings...ies?view=markup
Revision: 1.18, Fri Mar 24 15:03:26 2006 EST

:huh:

Edited by apluswebmaster, 24 March 2006 - 02:42 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 March 2006 - 08:11 PM

FYI...

Updated Security Advisory (917077)...
- http://isc.sans.org/...hp?storyid=1217
Last Updated: 2006-03-25 22:47:43 UTC
"Microsoft Updated Security Advisory (917077)*... and says "Advisory updated with indication of limited attacks." In this instance, "attacks" = malicious websites..."

* http://www.microsoft...ory/917077.mspx
Revisions:
• March 23, 2006: Advisory published
• March 24, 2006: Advisory updated with indication of limited attacks..."

:huh:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 March 2006 - 09:14 PM

FYI...

Modified Malware for the IE Exploit
- http://isc.sans.org/...hp?storyid=1221
Last Updated: 2006-03-26 02:35:18 UTC
"... There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.
This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:
C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636
It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get... the individual seems to realize that folks are on to them. I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites..."

:eek:

Edited by apluswebmaster, 25 March 2006 - 09:16 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 March 2006 - 10:00 AM

FYI...

Email attachment vector for IE createTextRange() Remote Command Execution
- http://isc.sans.org/...hp?storyid=1222
Last Updated: 2006-03-26 14:24:42 UTC

"Do You Want To Open This File?
Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".
MS doesn't have a bulletin description specific to malicious email attachments, but one of their global workarounds includes prompting or disabling active scripting in the Local intranet security zone, which addresses a malicious attachment exploit in this situation. In addition, keeping gateway email AV sigs up to date is advisable..."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 March 2006 - 01:02 PM

FYI...

- http://www.websenses...php?AlertID=451
March 26, 2006
"...To date we have discovered more than 200 unique URL's that are using the vulnerability to run exploit code. The most common is the use of shellcode to run a Trojan Horse downloader that downloads additional payload code over HTTP. The additional payload has been various forms of BOT's, Spyware, Backdoors, and other Trojan Downloader's. Our honeyclients are actively scanning for sites that are using this vulnerability to run code without user-interaction..."
----------------------------------
If you aren't using the Firefox browser, NOW would be a good time to start:
- http://www.mozilla.com/firefox/
----------------------------------

:eek:

Edited by apluswebmaster, 26 March 2006 - 01:37 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 March 2006 - 06:32 AM

FYI...

- http://blogs.technet.../27/423176.aspx
Monday, March 27, 2006 12:36 AM
"...the IE team has the update in process right now and if warranted we’ll release that as soon as it’s ready to protect customers (right now our testing plan has it ready in time for the April update release cycle)..."


:huh:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 March 2006 - 04:50 AM

FYI...

eEye offers temporary IE fix
- http://news.com.com/..._3-6054583.html
Published: March 27, 2006, 6:35 PM PST
Last modified: March 27, 2006, 10:50 PM PST
"eEye Digital Security released a temporary fix* on Monday for Internet Explorer to combat attacks that exploit a recently disclosed security hole in the browser. The unofficial fix blocks access to the vulnerable component in the Microsoft Web browser, preventing malicious Web sites from taking advantage of the vulnerability, said Steve Manzuik, security product manager at eEye in Aliso Viejo, Calif. Microsoft does not have a fix for the flaw available yet. Though eEye's patch does protect PCs against attacks that take advantage of the flaw, the company recommends installing the fix only as a last resort. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," Manzuik said. Disabling Active Scripting is Microsoft's suggested work-around. "This patch is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," Manzuik said. eEye, which makes an intrusion-prevention product called Blink, crafted the fix at the request of its customers, Manzuik said. "Customers who don't have Blink deployed yet were looking for a temporary solution," he said. However, eEye has made the fix available for anyone, on its Web site. Microsoft doesn't recommend installing eEye's fix. "We have not tested this mitigation tool," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "We can't recommend it because we have not tested it...Customers should weigh the risk of applying something like this to their systems"..."

* http://www.eeye.com/...AL20060324.html

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 March 2006 - 06:53 AM

FYI...

Temporary Patches for createTextRange Vuln
- http://isc.sans.org/...hp?storyid=1226
Last Updated: 2006-03-28 12:24:34 UTC
"Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
http://www.eeye.com/...AL20060324.html . A second patch has been made available by Determina ( http://www.determina...rch272006_1.asp ).
At this point, we do not recommend applying this temporary patch for a number of reasons:
* The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
* We have not been able to vet the patch. However, source code is available for the Eeye patch, so you can do so yourself. Determina has not released source code at this point.
* Exploit attempts are so far limited. But this could change at any time.
Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft. Microsoft may not be aware of the importance of security to its customers.
We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.
Please let us know about issues (or successful installs) of either patch. We will summarize issues here."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 March 2006 - 04:32 PM

FYI...

MS Security Advisory 917077 (updated)
- http://www.microsoft...ory/917077.mspx
Updated: March 28, 2006
"...Microsoft has been carefully monitoring the attempted exploitation of the vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the attacks are limited in scope at this time...
Microsoft is completing development of a cumulative security update for Internet Explorer that addresses the recent “createTextRange” vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the April security updates on April 11, 2006, or sooner as warranted.
Customers who follow the suggested actions and workarounds in this advisory are less likely to be compromised by exploitation of this vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code...

• March 28, 2006: Advisory updated with information regarding additional security software protections, current limited scope of attacks, and the status of the Internet Explorer security update."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 30 March 2006 - 02:36 PM

This is an update to earlier alerts posted...Attackers have begun spamming e-mail lures in an attempt to attract users to infected websites. These e-mail messages contain excerpts from actual BBC news stories and offer a link to "Read More". Users who follow this link are taken to a website that is a spoofed copy of the BBC news story from the e-mail...

websensesecuritylabs.com/alerts

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 March 2006 - 03:46 PM

FYI...

- http://www.techweb.c..._section=700028
March 30, 2006
"While users wait for Microsoft to patch the most recent zero-day vulnerability in Internet Explorer, security experts agree that the best way to protect PCs is to dump the browser's Active Scripting function. Even eEye Digital Security, one of two commercial security vendors that has released unsanctioned, temporary patches for the problem, said so. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," eEye warned in the advisory accompanying the patch. Microsoft's preferred workaround for the createTextRange bug is to disable Active Scripting so as to bar any JavaScript code from running. In fact, this isn't the first time that Microsoft has urged users to switch off Active Scripting; in early December, it used the same advice when another unpatched vulnerability was wreaking havoc.

Here's how to turn off Active Scripting:
-- In Internet Explorer, click Internet Options on the Tools menu.
-- Click the Security tab.
-- Click Internet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click Local intranet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click OK two times to return to Internet Explorer.

Doing so, however, will break some sites and/or functions within sites, as Microsoft itself warned in the security advisory posted last week and updated Wednesday. "Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly," the advisory went. "If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly."

:huh:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 March 2006 - 03:59 PM

FYI...

- http://isc.sans.org/...hp?storyid=1228
Last Updated: 2006-03-30 21:46:03 UTC
"...UPDATE 1: Some readers have written in to express their unhappiness that the non-security-related patch done for legal reasons is being released with the fix for the zero-day IE flaw. I agree. I don't like to see them together either. Consider your complaint on that registered with the ISC, not that we can do anything about it."

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 April 2006 - 07:03 AM

FYI...

Optimized IE Exploit Speeds Up Infection
- http://www.techweb.c...urity/184417612
March 31, 2006
"A new twist on the existing exploit of Internet Explorer's zero-day vulnerability has slashed the time it takes to compromise a computer, a security company claimed Friday. According to Sunnyvale, Calif.-based Fortinet, the exploit -- dubbed "JS/CreateTextRange.B" to differentiate it from the original -- takes much less time to execute... The change could be significant, since the one exploit now in circulation takes 5 to 10 seconds to execute, said Dan Hubbard, senior director of security and research at Websense... Speeding up the infection could cause fewer users to close IE, and lead to more machines falling under the sway of spyware and keyloggers. As of mid-afternoon Friday, Microsoft had not pushed out a patch for the IE flaw, but users had other options to defend themselves, including disabling the browser's Active Scripting feature, installing one of two third-party fixes, or switching to another Web browser, such as Firefox."

- http://tinyurl.com/qzewq
"JS/CreateTextRange.B!exploit
Visible Symptoms
* A system message warning the user that Virtual Memory is running out may pop up from the tray bar - this is due to an increase of VM used by Internet Explorer.
* Upon viewing a Trojanized webpage, arbitrary code could execute, ranging from simple denial of service to Internet Explorer to shell code allowing access to the victimized system..."

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 April 2006 - 07:06 AM

FYI...

- http://blogs.technet.../06/424519.aspx
Published Thursday, April 06, 2006 7:14 PM
"...This coming Tuesday, the 11th, we’re planning to release five security bulletins, 4 for Windows and 1 that affects both Windows and Office. One of the Windows bulletins will be the cumulative Internet Explorer update that will address the "CreateTextRange" vulnerability..."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button