Another update on the 0day Explorer exploit



Well, it looks like quite a bit took place while I was out on the “zero day exploit front”. It looks as though there is another update at The Sans Institute. The first thing to notice is that they’ve raised their alert level to Yellow over the impending active exploitation of this vulnerability.


Earlier updates on this event on my site are here and the initial post here.

Among the other information that Sans gives this evening is that they’ve tidied their summary from earlier. Essentially this exploit will open a remote shell and allow arbitrary code to be executed at the privilige level of the user. As of 4PM this afternoon Microsoft has announced an advisory on this issue, no patch yet. They are “aggressively investigating” these reports of the vulnerability.

Sans still has their patch available (Follow the above link to find the details.) They do note that this patch may break Activex components that try to activate this dll library. The dll in question of course, is msdds.dll a dotnet (.NET) component and ships with several products. (See earlier post here or the Sans institutes for more details there.)

Microsoft, in their advisory is “concerned” over how this vulnerability was disclosed saying that the practice of notifying the vendor first should have been the way to deal with the issue. (All malicious hackers out there remember when you find a new vulnerability, tell MS first before you start using it.) Realistically, most of the time this is what is done by the responsible IT Security professionals. In this case I notice that the SANS Institute also has an open letter to Microsoft.

The summary of that is that this vulnerability may be zero day, but the underlying problem has been known for 380 days and Microsoft has YET to address the issue. (They point to this information week article as evidence of a similar flaw. It appears that Microsoft has urged users to set “kill bits” on individual Activex/Com objescts and have a write up on how-to in their knowledge base, essentially open regedit and burrow to some really NASTY looking keys and change a dword.

(The key is named by the CLSID of the Activex control, their suggestion for determining the correct CLSID is to uninstall all of them and only reinstall the one you are trying to modify.)
I would hesitate with this myself, I can’t imagine recommending this to ANYONE as a fix for them to try. Ultimately SANS gets at the real problem which is the default policy is to ALLOW the kind of communication that causes this exploit. They also call on MS to change to a default DENY policy and that the issue needs attention and CANNOT wait until Vista and(or) IE7.

There is a workaround suggested at SANS it sounds like it may take a bit to work through and I would not suggest this for someone that’s never used regedit before. Apparently this Knowledge Base article gives more information.

Further there are a few more updates at Security Fix on this afternoons events. They mention both the SANS yellow alert and the Microsoft announcement.

Hopefully we’ll see an out of cycle Microsoft Patch that will take care of this and any other future problems exploiting this ActiveX flaw.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft warns against unofficial patch I didn't exactly expect a parade staged by Microsoft for the writer of the unofficial patch for this WMF vulnerability, but.... eweek tells us that Microsoft says "beware of unofficial WMF patch" It also mentions that behind the scenes Microsoft officials are furious that the threat has been overblown. Personally,......
  • Update on the Internet Explorer VML vulnerability Just catching up on the days VML vulnerability news from today.... It looks as though... the exploit is now MUCH more widespread this blog has some video of an infection, what's notable is that the first take was VERY UNEVENTFUL, it was used to stealthily install a keylogger. (So that......
  • WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
Blog Traffic Exchange Related Websites
  • PC Registry Cleaner - Discover The Most Effective And Safest PC Registry Cleaner Out Today! Why would you need a PC registry cleaner? Well, are you tired of files or downloads taking forever? Do you keep getting pop-ups or strange errors everytime you turn around? Well, chances are you need your computer scanned for errors and get those errors fixed as soon as possible! Take......
  • San Mateo County Hike in Pillar Point Location: This trail is located at Pillar Point in San Mateo County as part of the San Mateo County Harbor District The Hike: This is a 1.2 mile walk out and back that begins at the outskirts of the Princeton Harbor and ends at the beach. Distance: This is......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site