[ISN] Internet Explorer carved up by zero-day hole

From: InfoSec News (isn@private)
Date: Thu Jun 10 2004 - 02:44:35 PDT

  • Next message: InfoSec News: "[ISN] CFP: Tridentcom 2005"

    Kieren McCarthy
    Two new vulnerabilities have been discovered in Internet Explorer
    which allow a complete bypass of security and provide system access to
    a computer, including the installation of files on someone's hard disk
    without their knowledge, through a single click.
    Worse, the holes have been discovered from analysis of an existing
    link on the Internet and a fully functional demonstration of the
    exploit have been produced and been shown to affect even fully patched
    versions of Explorer.
    It has been rated "extremely critical" by security company Secunia,
    and the only advice is to disable Active Scripting support for all but
    trusted websites.
    The discovery stems from Dutch researcher Jelmer who was sent an
    Internet link which he was warned used unknown Explorer
    vulnerabilities to install adware on his computer. He found it did and
    embarked on a detailed analysis of the link, which demonstrates an
    extremely sophisticated use of encrypted code to bypass the Web
    browser's security.
    In simple terms, the link uses an unknown vulnerability to open up a
    local Explorer help file --
    ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm. It delays
    executing anything immediately but instead uses another unknown
    vulnerability to run another file which in turn runs some script. This
    script is then used to run more script. And finally that script is
    used to run an exploit that Microsoft Corp. has been aware of since
    August 2003 but hasn't patched.
    That exploit -- Adodb.stream -- has not been viewed as particularly
    dangerous, since it only works when the file containing the code is
    present on the user's hard disk. The problem comes in the fact that
    the Help file initially opened is assumed to be safe since it is a
    local file and so has minimal security restrictions.
    By using the unknown exploits, code is installed within the help file
    window, all security efforts are bypassed, and the Adodb.stream
    exploit is then used to download files on the Internet direct to the
    hard disk.
    What this means in reality is that if you click on a malicious link in
    an email or on the Internet, a malicious user can very quickly have
    complete control of your PC. And there is no patch available. You can
    see it happen by click here.
    With the code already available on the Net, this is effectively a
    security nightmare ... unless you're a Mozilla or Opera user that is.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Thu Jun 10 2004 - 04:46:43 PDT