afterpatch" zero-day releases continues strong." />

Deadly duo of IE zero day flaws: one weaponized, one wild


Just a few days after Microsoft Patch Day, already two new zero-day Internet Explorer (IE) vulnerabilities have come to light. Surprise, surprise: it seems the unwelcome trend of "afterpatch" zero-day releases continues strong.

The first of these two IE flaws was discovered by a Chinese researcher who calls himself nop, after an assembly language instruction that tells a CPU to do nothing. I question nop's ethics, because in disclosing this vulnerability, he publicly released weaponized exploits that allow an attacker to execute any malicious code of his choosing on a victim's computer.

Nop doesn't describe this vulnerability in any detail. However, a look at his exploit code reveals that the vulnerability involves the way IE handles the DirectAnimation.PathControl

ActiveX Control when using the KeyFrame() method. All that techno-blather just means that one of IE's Microsoft Multimedia ActiveX controls is broken -- broken in a way that could allow an attacker to inject code into memory and execute it. By enticing you to a malicious Web page, an attacker could exploit this flaw to execute code on your machine, with your privileges. Microsoft is now aware of this flaw and has already released a security advisory about it. Although nop gave them no time to release a patch, Microsoft has offered many good workarounds in the Suggested Actions section of their advisory. As bad as that first flaw sounds, the second is worse, if only because researchers have discovered attackers exploiting it in the wild. According to a post on the Sunbelt security blog, Sunbelt's security research team has observed malicious Web sites exploiting a previously unknown IE flaw to infect systems. Sunbelt hasn't released a full analysis of this flaw yet, but they do say it involves a buffer overflow bug in IE's Vector Markup Language (VML) code.

Again, if an attacker can get you to visit her malicious Web page, she can exploit this flaw to execute code on your machine with your privileges. If you're a local administrator, she would gain full control of your PC. Microsoft released an advisory today containing workarounds for the issue. Sunbelt recommends you disable JavaScript in IE to avoid this attack.

I believe in full disclosure of security vulnerabilities, but not the way nop did it. I believe in responsible full disclosure. Researchers should release the full details pertaining to a security flaw only after they have notified the manufacturer, and given the manufacturer ample time to patch. When a so-called researcher releases plug-and-play, weaponized exploit code for a vulnerability that a manufacturer doesn't know about, it helps no one at all and demonstrates malicious intent.

With two unpatched IE flaws circulating, one already spreading in the wild and the other packaged and ready to go, you should definitely warn your users to remain vigilant while browsing the Internet. If it needs saying, stay away from the seedier sites!

As soon as I hear anything new and pertinent about this vulnerability, or Microsoft
releases a patch, I'll inform you either via WatchGuard Wire or LiveSecurity
Informer
. -- Corey
Nachreiner, CISSP


P.S. I thank the FrSirt Incident Response team for information they shared in the testing of nop's exploit code.


CopyrightŠ 2006 WatchGuardŽ Technologies, Inc.

Linked by shanmuga Tuesday, 19th September 2006 11:59PM