Author Topic: Zero Day exploit being used to infect PCs  (Read 30536 times)

0 Members and 1 Guest are viewing this topic.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Zero Day exploit being used to infect PCs
« on: September 19, 2006, 06:04:00 PM »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Zero Day exploit being used to infect PCs
« Reply #1 on: September 19, 2006, 06:22:00 PM »
I guess this proves that if you look at trash, some of it is bound to rub off on you.  ;D
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #2 on: September 20, 2006, 08:22:10 AM »
Quote
According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.

http://blog.washingtonpost.com/securityfix/2006/09/newly_detected_ie_exploit_spel.html

Quote
Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

Quote
A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

Customers are encouraged to keep their anti-virus software up to date.

Quote
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.

http://www.microsoft.com/technet/security/advisory/925568.mspx

So in other words, the malware pushers have at least two clear weeks to exploit this vulnerability, and they could do it by using third party content on legitimate sites, so don't think that you're safe if you don't visit porn sites.





     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Zero Day exploit being used to infect PCs
« Reply #3 on: September 20, 2006, 11:04:33 AM »
Hi FwF,

There might be an earlier patch out than Oct. 10th next, because as was heard the exploit has been added to the Web Attacker Toolkit.
After patching a rather large number of computers will still be vulnerable because they are not patched, or can't be (pirated MS versions).
What is so disturbing here, that the issue seemed to have been addressed in an earlier patch, still this one was possible later. So they did half a job on the earlier.
It would be reveiling to see what old holes and bugs are intrinsically left. That would mean these things are fundamentally wrong in the coding, but we cannot establish this unless the code is opened up. All we have is security through obscurity.

polonus
« Last Edit: September 20, 2006, 11:09:04 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Zero Day exploit being used to infect PCs
« Reply #4 on: September 20, 2006, 10:09:39 PM »
Here's an emergency work-around to disable VML rendering in Internet Explorer.



http://blogs.zdnet.com/Ou/?p=323&tag=nl.e550
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

neal62

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #5 on: September 21, 2006, 05:55:53 AM »
I don't use my I.E. except for Windows Updates. Guess I will just continue using my other browsers for the time being.  :)

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Zero Day exploit being used to infect PCs
« Reply #6 on: September 21, 2006, 03:46:46 PM »
I don't use my I.E. except for Windows Updates. Guess I will just continue using my other browsers for the time being.  :)
From that same artice that features the temp work-a-round:
"it's still a good idea to implement the above work-arounds since Internet Explorer is still present on the system."
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Zero Day exploit being used to infect PCs
« Reply #7 on: September 22, 2006, 08:35:47 AM »
Hello bob3160, hello FwF,

Well over 10.000 websites will use the new VML 0-day exploit in the end to infect Internet Explorer users, is the warning of researcher Dan Hubbard. This was not known with certainty until very recently, but there is proof it now that it has become part of the new WebAttacker toolkit, this new VML exploit was added. "We have seen new versions of WebAttacker on certain websites, and could compare them to older vesrions of it", as Hubbard let us know.

The toolkit is produced by Russian cybercriminals, and is sold for the sum of 20 dollars. Through this toolkit it is possible to easily infect both Internet Explorer as well as Firefox users'machines, whether they have patched their browsers or not.

There are around 10.000 sites to host the WebAttacker toolkit or point towards sites, hosting the toolkit. The sites using the new exploit are aprox. only 20 sites, but Hubbard expects that this number will rapidly grow, when WebAttacker toolkit users are updating their "software".

polonus
« Last Edit: September 22, 2006, 08:39:41 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #8 on: September 22, 2006, 08:50:44 AM »
Hi Polonus,

I've just been listening to Steve Gibson and Leo Laporte discussing this very issue with Eric Sites from Sunbelt on the latest Security Now podcast:

http://www.grc.com/SecurityNow.htm#58
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Zero Day exploit being used to infect PCs
« Reply #9 on: September 22, 2006, 09:47:30 AM »
Hi FwF,

Listened to this interesting podcast, well the first half of it (do not have a Win 2*** machine, so that is why).
A few notes on the side 'though. Well all this because the enormous complexity of the Internet as a super-machine is growing way over our security-heads, really.

In the Netherlands now a big bank does not accept users of Win 98SE or ME as customers to their internet banking, because of their obsolete OS and old browsers are unsafe(r). For this explot they are actually secure (IE before 5.0). Use something that is not used by the mainstream user, and you are reasonably "more secure" than Mr.Average or Mrs. Average are.
This is frightening news to realize, there is a dll functionality out there that cannot be patched for a month or more (hopefully an early patch is out, and the main stream user does not un-register the dll I am sure, so thanks to ultra-new technology the Internet community is set at risk on a grand scale.

Does in-browser security protect you in any sense here, so you are warned not to go to these 20 odd sites (or all that I-frame link to them) through SiteAdvisor, GeoTrust, DrWeb anti-virus link checker???
Can you search through www.scandoo.com and still be infected with this graphical vector script independent malware infectors just to raise money for the malware artists and cybercriminals at an investment of a lousy 20 bucks.

Waiting for the patch from M$ to come, certainly is not the way to stop this. Better be if Microsoft could feel the liability for putting the users at risk through their software with buggy code where it hurts most in their big purses . There are a lot of people that say, if this was to happen, they would have a better urge to make their code safer (link on this standpoint here: http://www.cio.com/blog_view.html?CID=24948 ).

Other info on this bug:
http://www.kb.cert.org/vuls/id/416092

polonus
« Last Edit: September 22, 2006, 10:56:48 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #10 on: September 22, 2006, 06:14:05 PM »
Quote
We’ve also confirmed that Windows XP Service Pack 2 users can enable system-wide enforcement of software-enforced DEP to effectively block the in-the-wild exploits of this vulnerability, while retaining the ability to use the targeted Vector Markup Language (VML) functionality. Microsoft Knowledge Base Article 875352 describes how to change DEP policy using either the System control panel applet or the boot.ini file. Either method requires a system reboot to take effect.

http://blogs.securiteam.com/index.php/archives/624

[A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003

http://support.microsoft.com/kb/875352]

Quote
Also worth mentioning is that the current in-the-wild exploits attempt system-wide software installations, as do most zero-day exploits for such vulnerabilities. If your browser is not running under an account with administrative privileges, this will not succeed. The most effective way to do this is for users to log on interactively with accounts running as Limited Users, rather than members of the privileged Power Users or Administrators groups. Michael Howard wrote an MSDN article that describes an alternative way to run high-risk applications like browsers without administrative privileges if you require a privileged interactive logon for some reason.

That's the application DavidR's always recommending to us: DropMyRights.  ;)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Zero Day exploit being used to infect PCs
« Reply #11 on: September 22, 2006, 06:24:14 PM »
Quote
Also worth mentioning is that the current in-the-wild exploits attempt system-wide software installations, as do most zero-day exploits for such vulnerabilities. If your browser is not running under an account with administrative privileges, this will not succeed. The most effective way to do this is for users to log on interactively with accounts running as Limited Users, rather than members of the privileged Power Users or Administrators groups. Michael Howard wrote an MSDN article that describes an alternative way to run high-risk applications like browsers without administrative privileges if you require a privileged interactive logon for some reason.

That's the application DavidR's always recommending to us: DropMyRights.  ;)

And a very useful non-intrusive tool it is once you set-up the shortcuts that can limit the harm of any malware that gets past your defences not only 0-day exploits.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Smith

  • Guest
Re: Zero Day exploit being used to infect PCs
« Reply #12 on: September 22, 2006, 06:29:02 PM »
That's the application DavidR's always recommending to us: DropMyRights.  ;)
And it is nice of him to do so.  cf. DropMyRights

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Zero Day exploit being used to infect PCs
« Reply #13 on: September 22, 2006, 06:39:05 PM »
The DropMyRights link in my signature tries to simplify the set-up.
The MS Page has some very good images and is worth printing if you are considering it. It use it for any program that connects to the internet, all browsers, email program, mailwasher anti-spam.

Once set-up it is very unusual if you need to use the browser without the dropmyrights shortcut, such as windows update where you currently need administrator rights. I assume that will all have to change for Vista as and when it arrives with its UAC or you will have to enter the administrator password, something I'm not to happy about doing on-line. Don't I trust MS, about as far as I could through them ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Zero Day exploit being used to infect PCs
« Reply #14 on: September 22, 2006, 06:39:48 PM »
Quote
And a very useful non-intrusive tool it is once you set-up the shortcuts that can limit the harm of any malware that gets past your defences not only 0-day exploits.

Preaching to the choir here: I've been using it for a long time.  ;)

Thanks for letting us know about it David!  :D
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog