Author Topic: Setting killbit as patch won't do anymore... ActiveX patch circumvented!  (Read 4526 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi malware fighters,

MS has to come up with an out of band patch, because setting a killbit for an insecure ActiveX control is not enough and can now be circumvented by hackers: http://blogs.iss.net/archive/Blackhat09.html
This hole really created some panic at Microsoft, because this means a gigantic problem:
http://www.pcworld.com/businesscenter/article/169122/microsoft_rushes_to_fix_ie_killbit_bypass_attack.html
By just visiting a maicious website hackers can do whatever they please even if a patch is being installed.
Why go on with a concept that was a big mistake from day 1 - ActiveX is an insecure concept period....
Here a glimpse of the presentation of this 0-day: http://www.hustlelabs.com/bh2009preview/

The underlying Library issues and the OS dll's that could be involved deeper down are discussed here:
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html


polonus
« Last Edit: July 29, 2009, 12:26:24 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

pete319

  • Guest
Thanks for the information polonus

Found it worrisome to say the least.

pete

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Wonder what will happen to Javacool's Spyware Blaster, whose primary protection is setting registry killbits?
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Hi malware fighters,

MS has to come up with an out of band patch, because setting a killbit for an insecure ActiveX control is not enough and can now be circumvented by hackers: http://blogs.iss.net/archive/Blackhat09.html
This hole really created some panic at Microsoft, because this means a gigantic problem:
http://www.pcworld.com/businesscenter/article/169122/microsoft_rushes_to_fix_ie_killbit_bypass_attack.html
By just visiting a maicious website a hacker can do whatever they please even if a patch is being installed.
Why go on with a concept that was a big mistake from day 1 - ActiveX is an insecure concept period....
Here a glimpse of the presentation of this 0-day: http://www.hustlelabs.com/bh2009preview/


polonus

Bet Larry Seltzer feels like a knob every time he's reminded of this:

http://www.eweek.com/c/a/Security/The-Lame-Blame-of-ActiveX/
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

YoKenny

  • Guest
@ FreewheelinFrank

Pundits of Microsoft are many and many are armchair critics.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
@ FreewheelinFrank

Pundits of Microsoft are many and many are armchair critics.

Looks like the critics were right.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi FwF,

Maybe MS has done some immediate damage containment through the special out of band ServicePack  with defense in depth measurements ( http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx ), but there are many third party software developers that also joined the ActiveX bandwaggon, they can test their controls here: http://codetest2.verizonbusiness.com/termsOfUse.aspx against ATL (Active Template Library) vulnerabilities, which started this deep hole in the first place.

More than likely than not Internet Explorer has been compiled using the vulnerable ATL. That is why that yesterdays two updates cannot be seen separately. It seems unrealistic that all software that has been developed using the vulnerable ATL now has been steemed out,

polonus

« Last Edit: July 29, 2009, 04:15:38 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi malware fighters,

And what was the first third party software that had MS ATL vulnerabilities? Well one could guess...Adobe, yes this was established to be: http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html

Yes the software is on 450 million desktops. Of course you updated to the latest version: http://www.adobe.com/support/security/bulletins/apsb09-11.html  where an 8 month old hole was patched, and now it seems again broken because of the recently found ATL issue,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!