http://www.computerworld.com/s/article/9135950/Microsoft_rushes_to_fix_IE_kill_bit_bypass_attack?taxonomyId=17 By Robert McMillan IDG News Service July 27, 2009 Microsoft has been forced to issue emergency patches for its Windows operating system after researchers discovered a way to bypass a critical security mechanism in the Internet Explorer browser. During a Wednesday talk at this week's Black Hat conference in Las Vegas, researchers Mark Dowd, Ryan Smith and David Dewey will show a way of bypassing the 'kill-bit' mechanism used to disable buggy ActiveX controls. A video demonstration posted by Smith shows how the researchers were able to bypass the mechanism, which checks for ActiveX controls that are not allowed to run on Windows. They were able to then exploit a buggy ActiveX control in order to run an unauthorized program on a victim's computer. Although the researchers have not revealed the technical details behind their work, this bug could be a big deal, giving hackers a way of exploiting ActiveX problems that were previously thought to have been mitigated via kill-bits. "It's huge because then you can execute controls on the box that weren't intended to be executed," said Eric Schultze, chief technology officer with Shavlik Technologies. "So by visiting an evil Web site [criminals] can do anything they want even though I've applied the patch. " [...] _______________________________________________ Attend Black Hat USA, July 25-30 in Las Vegas, the world's premier technical event for ICT security experts. Network with 4,000+ delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.comReceived on Tue Jul 28 2009 - 00:29:16 PDT
This archive was generated by hypermail 2.2.0 : Tue Jul 28 2009 - 00:37:39 PDT