IE Flaw Exploit In Hacker Kit 'Raises the Stakes'

CWmike writes "Roger Thompson, chief research officer of AVG Technologies, said Sunday that an exploit for the newest IE flaw had been added to the Eleonore crimeware attack kit. 'This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day,' Thompson said on his company's blog. Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then."

Bug is really for Windows XP

[Anonymous Coward]

This bug is really only a serious problem for Windows XP users. (Yes, I know there are still a lot of them - however there are also a lot of Windows 7 users now and some Vista users). For Vista and Windows 7, since IE runs not just as a standard user, but also with Protected Mode (less than standard user rights and cannot write to the file system or registry outside of some very restricted locations, it isn't really an issue. Hence the lower priority on the patch.

Re:Bug is really for Windows XP

[NetNed]

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

Re:

[MightyMartian]

I don't see the problem here, providing permissions on registry keys is set up appropriately. At the end of the day, browsers like Firefox and Chrome can modify files in the filesystem.

Re:

[The Grim Reefer2]

I don't see the problem here,

From the article: "So far, the attacks we have seen only target Internet Explorer 6 and would not have been successful against Internet Explorer 8,"

Neither do I.

Re:Bug is really for Windows XP

[benjamindees]

And it's even possible for a browser to alter the registry exactly why???

Broken Windows create jobs.

Re:Bug is really for Windows XP

[CarpetShark]

"Broken Windows create jobs."

I'm a window cleaner, you insensitive clod.

Re:

[Low Ranked Craig]

so you're responsible for those lame MyCleanPC.com ads?

Capitalization

[zooblethorpe]

Broken Windows create Jobs.

Well, that explains quite a bit, actually.

Cheers,

Re:

[engineer_uhg]

Also, broken Windows creates well-compensated Jobs.

Re:Bug is really for Windows XP

[CoderJoe]

And it's even possible for a browser to alter the registry exactly why???

Because it is a program, just like any other, and needs to be able to store its own settings somewhere. For many windows programs, this somewhere is the registry.

(who modded this insightful?)

Re:

[danomac]

Yes, but the application shouldn't be allowed to alter settings in the registry other than its own.

Re:

[RaymondKurzweil]

Fuck you... this is an issue of a fundamental freedom. An application as powerful and useful as a browser should have the right to alter an setting in the registry it wants!!

Re:

[Peeteriz]

Windows registry does not really have a secure concept of "app's own settings" - apps are encouraged to limit their settings to registry tree with the vendor and app name, but there's no secure mapping that would allow to check if virus.exe is or isn't really 'Microsoft\Internet Explorer'.

And it's the same with unix config files - what's stopping an exploit in linux firefox from writing not to FF settings file in your home directory, but to some other applications configfile?

Re:

[f.ardelian]

(who modded this insightful?)

It was probably someone who thought "hmm... where's this browser's config file?"

Re:

[NetNed]

What windows program can't alter the registry exactly?

Re:

[master0ne]

every setting you set in your browser is stored as a registry key. If you set your browser to enable TLS 1.0, thats a boolean reg key that gets enabled, homepage is stored as a.... registry key!

Re:

[dimeglio]

I believe the registry keys we're having an issue with are those, for example, which control application startup enabling malware to install, and not the browser's settings.

Re:

[v1]

And it's even possible for a browser to alter the registry exactly why???

This is simplifying things a bit, but in short, the registry is the one central place where all preferences are stored, for everything, including the OS, its security system, and every single installed application. So at least in hindsight MS tries to stop apps from being able to change each other's registry keys, or add new keys that other systems will use. But the whole thing is basically starting with a sponge and trying to fix the holes one at a time, while the sponge is getting bigger.

Basically if yo

Re:

[metrix007]

What rubbish. A process started as a user can do anything a user can do. That's because current security models are shit. It's no different that under *nix any process started as a user can edit any dotfles in the users home directory.

Becuase you are an administrator

[Sycraft-fu]

If you are an administrator of a system that by definition means you can do everything, including modify the registry. If you cannot understand this concept, then you need to learn more about how privilege levels in computers work and come back. There is no power without responsibility. The power to do something is the power to fuck something up.

Now as this applies to this specifically, most people who use Windows XP run as an administrator. They don't have to, you can run as a deprivileged user and indeed we make people here do that at work, but users do not choose to because it is a pain to do. That means any program they spawn runs with permissions to do anything, since that is the whole idea of an administrator. There is nothing special about a web browser, it is just a process. It can write to the registry, drive, or anything else. The OS doesn't put random restrictions on programs.

In Vista and 7, things are a little different. By default, even users flagged as administrators aren't actually running at an administrator privilege level. They run as regular users and have to elevate when they need to. This means that programs they launch without elevation cannot do things such as write to the registry, as that is not a normal user (and thus their programs) have. Also an additional layer of security was introduced called Mandatory Integrity Control. This allows for programs to be launched with even less privilege than a normal user has. This has to be configured per application, and the only thing I know that uses it is Internet Explorer. It restricts access much further, including denying read access to a great deal of what a user can read.

This is all the same deal as with UNIX. Though Windows permissions are different (Windows has far more granular security) it is the same basic thing. If you run a program as root in UNIX it can do everything, including mess with config files not belonging to it and so on. That is the point of root: To have access to everything. You can't grant that access to the user, but somehow deny it to the user's processes, that goes against the whole idea.

The fundamental problem is that people using XP and older run their systems as administrators, because it is easy to do. The first user you make is an administrator (the system must have one) and it doesn't make you make another. That means that all apps have all access.

Re:

[fireylord]

My web browser can drive? Ooooh goodie!

I'd watch out with that thout, crashing twice a day would be bad for your insurance premiums

Re:

[metrix007]

You probably wont reply to this, but what the hell are you talking about? Windows having more granular security means it can do all the permutations of permissions available in unix and then some.

Re:

[Derek Pomery]

Uh. More granular, yes, but also different. There were a couple of specific combinations they had issues with when mapping rwxrwxrwx to actual permissions.

Trying to find the mailing list entries now. Last time I ran into this with cygwin was around 8 years ago.
Windows permissions presumably haven't changed too much since then though.

Re:

[Derek Pomery]

Found it. That took all of 20 seconds of googling. Let's see how long it takes slashdot to let me repost.

http://www.cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping [cygwin.com]

Still kinda curious about local overrides to global settings though. Does windows have that concept?

Re:

[ginbot462]

Does the "Document and Settings (XP)" and "User (Vista/Win7)" folder count for what you are asking? It IS the "~" equiv in Windows. "Application Data" is under there, where app specific settings are.

Re:

[Derek Pomery]

Naw. I'm aware of those. We use 'em in our apps.

It is more like automatic override of global settings with user specific ones. Bears some similarity to the HKCU hive, except from my understanding of things, not automatic.

Re:

[dbIII]

If you are an administrator of a system that by definition means you can do everything

Not in the weird MS Windows security model where users can lock the root user out (unless that's been fixed, it used to be sold as a feature) - but most of the time your point stands.

Re:

[Blakey Rat]

And it's even possible for a browser to alter the registry exactly why???

Here's a shocking revelation: browsers can also *write files to the filesystem!*

Oh sure, they try to justify this as some kind of "bookmarks" or "caching" feature, but we know they're just intentionally putting security holes in their software.

(On a more serious note, if the user is running Windows XP, IE 6 or 7, and doesn't have DEP turned-on... then they're probably also running as Administrator, which means the browser can do anythi

Re:

[KingMotley]

I have to say that's a pretty ridiculous question. Because the registry is where all the application settings are supposed to be stored. Funny how an application needs access to change things in the registry when that's what it's designed to do.

Re:

[Phopojijo]

One reason is because they're dependent on higher-permissions code... which the exploiting code pretends it is by over-writing part of the higher-permission code in memory... such that the next time said code is run, it is no longer there.

That's actually how DEP works... the CPU executes a string of commands... one after another... some from memory, some from cache, some jumps, some sequential... ... then when it sees code marked as "data"... it freaks out and realizes it somehow got misdirected out of "

ASLR is the other line of defense

[judeancodersfront]

Parent is right, it is only a problem for XP users

Re:

[Anonymous Coward]

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6.

DEP is a hardware-based feature, so it is only "on by default on IE8" when the hardware supports it. There is plenty of old hardware out there either without NX support at all, or with NX disabled by default in the BIOS, perfectly capable of running IE8 and Windows 7, and they are vulnerable. For the former set of hardware, the only software fix is a patch from Microsoft. DEP fixes nothing when NX (or equivalent) doesn't exist.

Re:Bug is really for Windows XP

[NetNed]

No DEP is both hardware based and software based.

Microsoft has software based DEP listed as: "An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor."

You can read all about it here [microsoft.com]

Re:Bug is really for Windows XP

[Anonymous Coward]

No DEP is both hardware based and software based.

Nope, DEP is hardware only. What Microsoft calls "software DEP" is nothing more than SafeSEH, which is a totally unrelated and considerably less useful security measure.

Re:

[NetNed]

So you didn't RTFA? Or click the link I posted? Really, it's just a link to Microsoft's page on DEP where it talks of Software DEP, the one that stops this attack from happening. I'm sure there are other exploits that find it easy to surpass software DEP, but in this one software DEP, which is real and is what the original story is talking about, is more then enough to stop this exploit. That is why Microsoft hasn't really been quick to issue a out of sequence update to fix the problem because it only effec

Re:

[hweimer]

Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

DEP has been broken by return-oriented programming. The fact that most exploits don't use it just means that they catch enough victims simply by using the old techniques.

Re:

[NetNed]

Well since TFA talks about a exploit that CAN be stopped by simply running DEP in IE7 or above it really don't matter if DEP has been broken by whatever since the code at hand is only trying to exploit machines where DEP in not installed (IE6) or not on, which could be any IE if a user turned it off for some odd reason.

Re:

[francium de neobie]

But there's no information proving that a coder in-the-know can't turn the DEP-inactive exploit into a DEP-active exploit.

Re:

[NetNed]

Sure there is if you RTFA. Since the story says DEP in IE8 stops it from affecting it I would have to go on that. Could the code be changed in the future to break DEP? Sure, but then it is a different code and a different problem. The code in the story we are talking about can't. We can fantasize about what any code in the open can do, but at this point in time with this code, no it can't break DEP.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[uninformedLuddite]

why?

ie sucks

[Anonymous Coward]

IE is such a poor piece of technology. Before I enter a serious relationship, in addition to a background check, I also investigate the browser my potential significant other is using. If it's IE, I don't even bother since I don't date dummies.

Re:

[PerfectionLost]

My gf uses ubuntu. I think that makes her smarter then me.

That's a stupid test

[judeancodersfront]

I helped a Doctor with his laptop a while back and he was using.....IE8 (GASP). He must have been dummy. I've also helped people who were dolts when it came to picking up malware and they were running Firefox.

Most people use IE8 because it is good enough and its security is fine as long as you are using Windows 7 or Vista. IE6 sucks, IE8 is just mediocre.

Re:

[Stratoukos]

You may be laughing, but there was a documentary some years back, I think it's called Macheads, where a woman said in all seriousness that she wouldn't date any guy using Windows.

Re:

[blind monkey 3]

Was she worried about zero date exploits?

Re:

[DrSkwid]

What if (s)he's still using Netscape 4 ?

Zero-Day?

[Anonymous Coward]

Err, I don't really think you can call it a zero-day anymore.

Attack Kit?

[negRo_slim]

Where can I purchase it? I mean if they state there is a product and even quote a price one would assume it's purchasable somewhere.

Re:

[Anonymous Coward]

There's this new tool [justfuckinggoogleit.com] you really should check out.

Re:

[Anonymous Coward]

I'm sure you could purchase it somewhere, if you wished. Google would probably help. Or, you could just checkout the latest Metasploit SVN, which is probably where the Eleonore kit writers got the exploit. There's been PoC exploit code in there since Thursday.

Re:

[Securityemo]

Author contact details are here: https://damagelab.org/index.php?showtopic=17952&hl=eleonore [damagelab.org]
The post is from last year, but there's a bump from the autor on the second page. I don't know russian, checked it out using google.

Re:

[negRo_slim]

I just find it silly that so much of what is being discussed is all based upon this supposed tool with nary a source to be found. This whole seem things more like a plug for AVG than any real discussion on matters of import.

Re:

[Securityemo]

Yeah. But on the other hand, actual informed commentary would be lost on anyone but malware analysts/coders. Offensive computing has a sample and some initial dissection data at http://www.offensivecomputing.net/?q=node/1419 [offensivecomputing.net], but anyone who would actually be interested already knows this.

Re:

[NetNed]

Not really a AV programs problem as it is that DEP (data execution prevention) isn't available in IE6 and isn't on by default in IE7. IE8 has it on by default so it is not possible to execute the attack on it. So if you are running the latest version of IE8 it is not a issue. OR you could be smart and stop using IE and run Firefox, Chrome, or any other browser that doesn't seem to have as many loopholes, bugs and exploits as IE does.

Re:

[Spad]

Though at all times it bears remembering that Firefox [secunia.com], Chrome [secunia.com] and Others [secunia.com] are all vulnerable to serious exploits from time to time.

Re:

[Nerdfest]

Maybe it's my memory, but I don't see the people behind those browsers say "I don't think this is serious enough for an out of band update". Out of band? Fix teh damn bugs as soon as you can and let people install the patches later if that's what makes them happy.

Re:

[BCoates]

If the parent post is correct that only IE7 and earlier are vulnerable in their default configurations, the fair comparison would be to update support for browsers a year and a half out of date--are firefox 2.0 or 3.0 still getting timely security patches?

Re:

[Securityemo]

No, you're paying to an industry that centers around making itself obsolete.

obligatory southpark reference

[FudRucker]

1. Make browser with undocumented vulnerabilities 2. Sell exploits for lucrative prices 3. ????? 4. Profit!!!

Re:

[amicusNYCL]

Right, Microsoft was sitting on this goldmine for the past 9 years just waiting to cash it in.

Re:

[by (1706743)]

Pretty sure 4) follows from 2), thus negating the need for 3).

Now, collecting underwear...therein lies the true mystery.

News really?

[Evil_Ether]

How is Microsoft not fixing a vulnerability news? I say let the Windows users rot in their crapware infested systems!

Re:

[Zaiff Urgulbunger]

I'd agree... but I also own an Android 2.1 phone! :( [slashdot.org]

Maybe it's the most popular one

[pinkeen]

But cerainly not the best one - a quick search on youtube yielded great results - check out the liquavista display [youtube.com].

Just a part of the Windows ecosystem

[NicknamesAreStupid]

I wonder if this affects Windows Mobile 7? As I recall, it uses IE7. BTW, did you know that windows kill about a billion birds each year? No shit. They run into them, banging their heads again and again. Before anyone mods this off-topic, please consider the metaphor.

Re:

[judeancodersfront]

Why was this modded down?

Well, the first step...

[MacGyver2210]

...is to stop using IE for anything. It's a garbage browser.

Why would anyone use it when there's so many higher-quality free alternatives? Firefox? Chrome?

Just let it die.

So?

[Lanteran]

Internet explorer is Internet explorer. If you're using it, you deserve whatever you get.

Hmm.

[vegiVamp]

> Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update.

So, this is a zero-day HOW ?

Subject

[Legion303]

So if you read between Microsoft's lines, they appear to be suggesting a temporary workaround of not using IE.