Forgot your password?
typodupeerror
Internet Explorer Security Bug Microsoft

IE Flaw Exploit In Hacker Kit 'Raises the Stakes' 96

Posted by Soulskill
from the calling-a-bluff dept.
CWmike writes "Roger Thompson, chief research officer of AVG Technologies, said Sunday that an exploit for the newest IE flaw had been added to the Eleonore crimeware attack kit. 'This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day,' Thompson said on his company's blog. Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then."
This discussion has been archived. No new comments can be posted.

IE Flaw Exploit In Hacker Kit 'Raises the Stakes'

Comments Filter:
  • by Anonymous Coward
    This bug is really only a serious problem for Windows XP users. (Yes, I know there are still a lot of them - however there are also a lot of Windows 7 users now and some Vista users). For Vista and Windows 7, since IE runs not just as a standard user, but also with Protected Mode (less than standard user rights and cannot write to the file system or registry outside of some very restricted locations, it isn't really an issue. Hence the lower priority on the patch.
    • by NetNed (955141) on Monday November 08, 2010 @06:27PM (#34167292)
      Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.
      • Parent is right, it is only a problem for XP users
      • Re: (Score:1, Informative)

        by Anonymous Coward

        Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6.

        DEP is a hardware-based feature, so it is only "on by default on IE8" when the hardware supports it. There is plenty of old hardware out there either without NX support at all, or with NX disabled by default in the BIOS, perfectly capable of running IE8 and Windows 7, and they are vulnerable. For the former set of hardware, the only software fix is a patch from Microsoft. DEP fixes nothing when NX (or equivalent) doesn't exist.

        • by NetNed (955141) on Monday November 08, 2010 @06:49PM (#34167552)
          No DEP is both hardware based and software based.

          Microsoft has software based DEP listed as: "An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor."

          You can read all about it here [microsoft.com]
          • by Anonymous Coward on Monday November 08, 2010 @07:14PM (#34167836)

            No DEP is both hardware based and software based.

            Nope, DEP is hardware only. What Microsoft calls "software DEP" is nothing more than SafeSEH, which is a totally unrelated and considerably less useful security measure.

            • by NetNed (955141)
              So you didn't RTFA? Or click the link I posted? Really, it's just a link to Microsoft's page on DEP where it talks of Software DEP, the one that stops this attack from happening. I'm sure there are other exploits that find it easy to surpass software DEP, but in this one software DEP, which is real and is what the original story is talking about, is more then enough to stop this exploit. That is why Microsoft hasn't really been quick to issue a out of sequence update to fix the problem because it only effec
      • Re: (Score:3, Insightful)

        by hweimer (709734)

        Ah no it is a IE6 and potentially a IE7 problem if you do not have DEP turned on. It is on by default on IE8, but not in 7 and doesn't exist in 6. Really has nothing to do with the UAC controls in place on Vista or Windows 7 since DEP is the front line defense against these attacks and works to stop the attacks before any registry altering is even possible.

        DEP has been broken by return-oriented programming. The fact that most exploits don't use it just means that they catch enough victims simply by using the old techniques.

        • by NetNed (955141)
          Well since TFA talks about a exploit that CAN be stopped by simply running DEP in IE7 or above it really don't matter if DEP has been broken by whatever since the code at hand is only trying to exploit machines where DEP in not installed (IE6) or not on, which could be any IE if a user turned it off for some odd reason.
          • But there's no information proving that a coder in-the-know can't turn the DEP-inactive exploit into a DEP-active exploit.
            • by NetNed (955141)
              Sure there is if you RTFA. Since the story says DEP in IE8 stops it from affecting it I would have to go on that. Could the code be changed in the future to break DEP? Sure, but then it is a different code and a different problem. The code in the story we are talking about can't. We can fantasize about what any code in the open can do, but at this point in time with this code, no it can't break DEP.
      • Re: (Score:3, Interesting)

        by hairyfeet (841228)

        For those on XP there is an easy way that will probably work to stop this cold. I say probably because I haven't had the time to look for an attack site and play with the code. But on XP you can use the Free Comodo Internet Security [comodo.com] or Comodo Av (both free) and under "Defense +" settings choose to run IE always in the sandbox. This will keep IE from doing any real registry or file writing, instead dumping any writes to a virtual registry and file system that is locked off from the OS.

        While I agree it is M

  • ie sucks (Score:2, Funny)

    by Anonymous Coward

    IE is such a poor piece of technology. Before I enter a serious relationship, in addition to a background check, I also investigate the browser my potential significant other is using. If it's IE, I don't even bother since I don't date dummies.

    • My gf uses ubuntu. I think that makes her smarter then me.

    • I helped a Doctor with his laptop a while back and he was using.....IE8 (GASP). He must have been dummy. I've also helped people who were dolts when it came to picking up malware and they were running Firefox.

      Most people use IE8 because it is good enough and its security is fine as long as you are using Windows 7 or Vista. IE6 sucks, IE8 is just mediocre.
    • You may be laughing, but there was a documentary some years back, I think it's called Macheads, where a woman said in all seriousness that she wouldn't date any guy using Windows.

    • by DrSkwid (118965)

      What if (s)he's still using Netscape 4 ?

  • Zero-Day? (Score:1, Informative)

    by Anonymous Coward

    Err, I don't really think you can call it a zero-day anymore.

  • Where can I purchase it? I mean if they state there is a product and even quote a price one would assume it's purchasable somewhere.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      There's this new tool [justfuckinggoogleit.com] you really should check out.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      I'm sure you could purchase it somewhere, if you wished. Google would probably help. Or, you could just checkout the latest Metasploit SVN, which is probably where the Eleonore kit writers got the exploit. There's been PoC exploit code in there since Thursday.

    • Author contact details are here: https://damagelab.org/index.php?showtopic=17952&hl=eleonore [damagelab.org]
      The post is from last year, but there's a bump from the autor on the second page. I don't know russian, checked it out using google.
      • I just find it silly that so much of what is being discussed is all based upon this supposed tool with nary a source to be found. This whole seem things more like a plug for AVG than any real discussion on matters of import.
  • 1. Make browser with undocumented vulnerabilities 2. Sell exploits for lucrative prices 3. ????? 4. Profit!!!
    • Right, Microsoft was sitting on this goldmine for the past 9 years just waiting to cash it in.

    • Pretty sure 4) follows from 2), thus negating the need for 3).

      Now, collecting underwear...therein lies the true mystery.
  • How is Microsoft not fixing a vulnerability news? I say let the Windows users rot in their crapware infested systems!
  • But cerainly not the best one - a quick search on youtube yielded great results - check out the liquavista display [youtube.com].
  • I wonder if this affects Windows Mobile 7? As I recall, it uses IE7. BTW, did you know that windows kill about a billion birds each year? No shit. They run into them, banging their heads again and again. Before anyone mods this off-topic, please consider the metaphor.
  • ...is to stop using IE for anything. It's a garbage browser.

    Why would anyone use it when there's so many higher-quality free alternatives? Firefox? Chrome?

    Just let it die.

  • by Lanteran (1883836)
    Internet explorer is Internet explorer. If you're using it, you deserve whatever you get.
  • by vegiVamp (518171)

    > Microsoft has promised to patch the vulnerability, but last week said the threat didn't warrant an 'out-of-band' update.

    So, this is a zero-day HOW ?

  • So if you read between Microsoft's lines, they appear to be suggesting a temporary workaround of not using IE.

When Dexter's on the Internet, can Hell be far behind?"

Working...