0-Day Exploit & Security Tips

Filed under Security News, Security Programs, Windows

Today is just another day to the security experts, but another painful day to the Internets novice. Over 6 months ago an exploit was released that gave hackers the capability to view files and folders on a user’s computer… Well this morning an updated exploit was released that let people run code on the attacked computer as well. Usually when we hear about exploits like these, the vendor has already released a patch for the exploit. However, it’s not the same this time, as of now even a fully patched Windows 2000 / XP computer is still at risk. Below is the information regarding the exploit, followed by a few programs I use to help monitor and prevent these issues from happening again.

Rated as : Critical
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Date: 2005-11-21

Technical Description

A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to JavaScript "window()" objects and "onload" events, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page.

This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched).

Exploits

Proof of Concept

Affected Products

Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP1
Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4
Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4

Solution

Disable Active Scripting in Internet Explorer:

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Security tab, click Custom Level.
4. In the Settings box, click Disable under Active scripting.
5. Click OK, and then click OK.

References

http://www.frsirt.com/english/advisories/2005/2509

http://www.frsirt.com/english/reference/1111

Credits

Vulnerability originally reported by Benjamin Tobias Franz and exploited by Stuart Pearson

Now let’s take a look at a few of the programs I use to monitor internet attacks, provide alternate browsing, and monitor and prevent system changes.

Internet Storm Center handler Tom Liston created a systray application to monitor the status of the infocon. Basically if you see this application flashing yellow, orange, or even red then you know it’s time to come back here and see whats going on!

Download: ISC Alert

Mozilla Firefox is an alternate browser you may use to bypass this exploit. I do recommend using Firefox, but not only firefox. I use both for different things, Internet Explorer I use for trusted sites, and firefox for normal web browsing.

Download: Firefox

The wonderful people at Fortego Security have created a program called All-Seeing Eye. This program gives you full monitoring control of all system changes. This is a little extreme for some, but a must for others.

Download: All-Seeing Eye

2 Comments

  1. Dan says:

    Excellent post J.

    -Dan

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*