Essentially the zero day (or previously unknown) vulnerability deals with a .Net framework file, msdds.dll . The SANS patch disables it’s usage via ActiveX. Apparently FRSIRT revealed the exploit to the Sans institute and it can be considered a .NET exploit. It will soon be in the wild. The upshot is that a malicious website could exploit Internet Explorer to run arbitrary code on the local machine.
The file msdds.dll is typically installed with Visual Studio .NET, but other dotNET based applications may distribute the file.
Here are more details from SANS…
Typically, you will find it in
Program FilesCommon FilesMicrosoftSharedMSDesigners7 .[Jordan]
Here is a list of applications that may install this component:
(Disclaimer: We can’t test them all… but it should help you prioritize)
MS Visual Studio .Net
.Net Framework 1.1
Microsoft Office (2000, 2002, XP) [Karl, Juha-Matti]
Access 11 (2003) runtime [Scott]
ATI Catalyst driver installed by newer ATI video cards [Eric]
MSDDS.DLL is not found on Win2003 SP1 SERVER with .net installed (not Visual Studio .net). [Andy].
Not all default Office 2000 installs have msdds.dll installed. [Emmanuel] We get conflicting reports, likely due to various configuration and install choices.
The version of MSDDS.DLL installed with Office 2003 is not vulnerable.
If you test your system using the PoC exploit, please let us know if it succeeded, and what version of MSDDS.DLL you are using. Version 7.10.3077.0 may not be vulnerable (according to Secunia and our testing). [Juha-Matti]
Version 7.0.9064.9112 is vulnerable [Gilles].
Further they suggest workarounds…
Other Mitigation Techniques:
– Use a Non-ActiveX aware browser (Firefox, Opera…)
– remove the vulnerable DLL. (we do not know what will break as a result)
– this issue can be blocked by setting the ‘kill bit’ for the respective DLL. Using a registry editor, set: HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX CompatibilityEC444CB6-3E7E-4865-B1C3- 0DE72EF39B3FCompatibility Flags=0×00000400″ [Jerry] I added a space in the key to avoid the above mentioned content filter rule [John].
They also suggest blocking the following string at the proxy level for those with the capability to do so…
EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F (all (dash) should be substituted with – )
One final note from Incidents.org on the issue…
– MSDDS stands for “Microsoft Design Tools – Diagram Surface”.
– you sometimes may find the (wrong) spelling of msdss in earlier versions of our diaries.
Further, The SecurityFix has an update on the issue pointing to the SANS patch and suggesting the best workaround is to NOT USE INTERNET EXPLORER.
Related PostsRelated Posts
- Windows 98 and the WMF exploit I've seen breathless headlines that say "Windows PCs face 'huge' virus threat; Affects every MICROSOFT OS shipped since 1990..." and really would like to try to clarify (again) what the situation is. Yes, the bug or vulnerability that's currently being exploited exists as far back as Windows 3.0, but as......
- WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
- Workaround for the critical WMF zero-day exploit The Windows Meta File (WMF) zero-day (0-day) exploit is apparently, VERY nasty, no user intervention required (unless running firefox or opera). Just VISITING a malicous site (viewing a malicious email with image...) would be enough to get the system owned. It sounds as though a FULL reinstall is the best......
- How To Make Money With The Help Of Advertising Internet is one of the best ways to promote anything. There are so many people that browse the internet each day that you are likely to will definitely encounter no difficulties in advertising everything you like. It is easy to create your own web site and to set up any......
- How to Get Free Turbo Tax Software Free Turbo Tax Take advantage of free online tax services while they are still available. Major companies like TurboTax offer free Internet tax preparation and filing services that you can obtain right now. Those who are searching for a good deal on Internet based tax software should check out the......
- Reg Sweep RegSweep is the latest in PC error diagnostic and repair. RegSweep can do a complete scan of your entire file system and registry in under 2 minutes! All corrupt files, paths, and registry keys will be analyzed and automatically repaired so that your PC functions just as when you first......
- Zeroday Internet Explorer vulnerability update
- Massive Windows Update Tuesday
- Another update on the 0day Explorer exploit
- Internet Explorer zero-day exploit?
- Two new Windows exploits in the Wild | Wordpad Text Converter | Internet Explorer 7 XML Parser