CRIME FW: Message from William Pelgrin-NYS OCSCIC-Cyber Advisory:New Microsoft Internet Explorer Vulnerabilit

From: George Heuston (geoneve@private)
Date: Fri Oct 03 2003 - 07:19:24 PDT

  • Next message: Kuo, Jimmy: "RE: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)" 

     

 

-----Original Message-----
From: Gregg Shankle [mailto:Gregg.Shankle@private] 
Sent: Thursday, October 02, 2003 2:53 PM
To: boyd_r@private; Gail.Levario@private;
geoneve@private; Mike Ruffner; Marcus Beaman; Chris Aldrich; David
C Yandell; Barbara A Jensen; Michael S Curtis; Kenneth D Murphy; Steve
Payne; Abe Yoakum; HUITT Dale; Pat Pope; Mary.Dover@private
Cc: John Salle
Subject: Fwd: Message from William Pelgrin-NYS OCSCIC-Cyber Advisory:New
Microsoft Internet Explorer Vulnerabilit

 

Cyber Sector FYI from our New York partners-

 

Gregg Shankle, Detective

Oregon State Police Office of Public Safety and Security

 

end



>>> "Morrissey, Margaret (CSCIC)" <Margaret.Morrissey@private>
10/02/03 01:27PM >>>

DATE ISSUED: 10/2/03

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE
COORDINATION CYBER ADVISORY

 

SUBJECT: Zero-Day exploit for Internet Explorer vulnerability being used
to install Trojan.

 

OVERVIEW:

Several sources report that exploits are available for a new
vulnerability in Microsoft Internet Explorer (IE) which allows attackers
to run malicious code on vulnerable systems.  The Qhosts Trojan is
actively exploiting one of these vulnerabilities to hijack browser
sessions by reconfiguring the DNS configuration on infected systems.  

 

Note that Microsoft has not yet issued a patch for this vulnerability.

 

In addition, one New York State agency has identified a minor Qhosts
Trojan infection.

 

RISK:

Government:

            - Large and medium government entities: Medium

            - Small government entities:                    Medium

Businesses:

            - Large and small businesses:                 Medium

            - Small businesses:                                Medium

Home users:                                                     Medium

 

SYSTEMS AFFECTED: 

Systems running Microsoft Internet Explorer 5.01, 5.5, 6.0.

 

DESCRIPTION:

By not properly determining the object types returned by a web server,
vulnerable versions of IE can allow a remote attacker to execute
arbitrary code on the victim box by making use of the HTML object tag
which is used to embed ActiveX into HTML pages. The parameter in the
object tag which describes the remote location of the data for objects
is not checked for validity allowing Trojan executables to be run from
within the web page without the user knowing anything is happening.

 

The Qhosts Trojan is one example of how this vulnerability is being
exploited.  Qhosts changes the Windows registry and HOSTS file to
redirect DNS queries to an external host that is, presumably, controlled
by a malicious person who can, in turn, redirect infected systems to
other web sites.

 

CERT also sites other examples where the vulnerability is being
exploited to install denial of service tools or to change dialer
programs to make expensive phone calls.

 

RECOMMENDATIONS: 

1) Applying the patch indicated by Microsoft Security Bulletin MS03-032
will correct one way to exploit this vulnerability but there are other
variations that are not corrected.  Once a new patch is issued by
Microsoft it should be applied as soon as possible.

 

2) Until a patch is available, you can try to mitigate the vulnerability
by changing the "Run ActiveX controls and plug-ins" in the Internet Zone
to either "disable" or "prompt" however both CERT and a posting on
Bugtraq indicate this may not mitigate the problem since in some cases
the malicious code may not be detected as ActiveX content.  Also note
that disabling ActiveX may cause problems when accessing existing
applications in the Internet Zone.

 

3) Keep your anti-virus software updated.  AV vendors have posted
updates to detect Qhosts but that is not the only exploit available.

 

4) CERT has some additional actions for system administrators that
should be evaluated carefully by each organization since they may cause
problems with existing business applications.

 

 

REFERENCES:

 

CERT:

http://www.cert.org/incident_notes/IN-2003-04.html

 

BugTraq:

http://www.ntbugtraq.com/default.asp?pid=36
<http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtra
q&F=P&S=&P=2169> &sid=1&A2=ind0310&L=ntbugtraq&F=P&S=&P=2169

 

McAfee:

http://vil.nai.com/vil/content/v_100719.htm

 

Symantec:

http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html

 

SearchSecurity.com

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9
30187,00.html

 

Microsoft

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS03-032.asp

 

Neophasis

http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0084.html

 

SecurityFocus

http://www.securityfocus.com/bid/8456/info/

http://www.securityfocus.com/advisories/5725

 

 

 

_____________________________

William F. Pelgrin

Director

NYS Cyber Security and Critical Infrastructure Coordination

30 South Pearl Street

Albany, New York 12207

518-473-4383 (Phone)

518-402-3799 (Fax)

william.pelgrin@private

    This archive was generated by hypermail 2b30 : Fri Oct 03 2003 - 08:00:46 PDT