Update on Internet Explorer Zero Day exploit

Yesterday I mentioned a SANS report on a possible zero day exploit against Internet Explorer. Today they have more details in the handlers diary. Among other things SANS has issued a patch for it.

Essentially the zero day (or previously unknown) vulnerability deals with a .Net framework file, msdds.dll . The SANS patch disables it’s usage via ActiveX. Apparently FRSIRT revealed the exploit to the Sans institute and it can be considered a .NET exploit. It will soon be in the wild. The upshot is that a malicious website could exploit Internet Explorer to run arbitrary code on the local machine.

The file msdds.dll is typically installed with Visual Studio .NET, but other dotNET based applications may distribute the file.

Here are more details from SANS…

Typically, you will find it in
Program FilesCommon FilesMicrosoftSharedMSDesigners7 .[Jordan]

Here is a list of applications that may install this component:
(Disclaimer: We can’t test them all… but it should help you prioritize)
MS Visual Studio .Net
.Net Framework 1.1
Microsoft Office (2000, 2002, XP) [Karl, Juha-Matti]
Microsoft Project
Visio [Chris]
Access 11 (2003) runtime [Scott]
ATI Catalyst driver installed by newer ATI video cards [Eric]

MSDDS.DLL is not found on Win2003 SP1 SERVER with .net installed (not Visual Studio .net). [Andy].

Not all default Office 2000 installs have msdds.dll installed. [Emmanuel] We get conflicting reports, likely due to various configuration and install choices.

The version of MSDDS.DLL installed with Office 2003 is not vulnerable.

If you test your system using the PoC exploit, please let us know if it succeeded, and what version of MSDDS.DLL you are using. Version 7.10.3077.0 may not be vulnerable (according to Secunia and our testing). [Juha-Matti]

Version 7.0.9064.9112 is vulnerable [Gilles].

Further they suggest workarounds…

Other Mitigation Techniques:
– Use a Non-ActiveX aware browser (Firefox, Opera…)
– remove the vulnerable DLL. (we do not know what will break as a result)
– this issue can be blocked by setting the ‘kill bit’ for the respective DLL. Using a registry editor, set: HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX CompatibilityEC444CB6-3E7E-4865-B1C3- 0DE72EF39B3FCompatibility Flags=0×00000400″ [Jerry] I added a space in the key to avoid the above mentioned content filter rule [John].

They also suggest blocking the following string at the proxy level for those with the capability to do so…

EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F (all (dash) should be substituted with – )

One final note from Incidents.org on the issue…

MSDDS Trivia:
– MSDDS stands for “Microsoft Design Tools – Diagram Surface”.
– you sometimes may find the (wrong) spelling of msdss in earlier versions of our diaries.

Secunia has an advisory on the issue.

Further, The SecurityFix has an update on the issue pointing to the SANS patch and suggesting the best workaround is to NOT USE INTERNET EXPLORER.

Related Posts

Blog Traffic Exchange Related Posts
  • Workaround for the critical WMF zero-day exploit The Windows Meta File (WMF) zero-day (0-day) exploit is apparently, VERY nasty, no user intervention required (unless running firefox or opera). Just VISITING a malicous site (viewing a malicious email with image...) would be enough to get the system owned. It sounds as though a FULL reinstall is the best......
  • Exploit for Unpatched Internet Explorer vulnerability Well.... buckle your seatbelts it's going to be a bumpy start to the week. the securityfix as well as incidents.org are reporting on exploit code that has been released that takes advantage of an unpatched Internet Explorer vulnerability. According to the Sans institute diary entry... they have tested the exploit......
  • WMF exploit unofficial patch Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They've also looked at the patch thoroughly and it sounds as though it's very well done. We want to......
Blog Traffic Exchange Related Websites
  • The Principles Of CPanel Net Internet Hosting I am positive that if you are visiting this page, you will be interested in ix webhosting. If you are a webmaster and you will need to choose between so several types of world wide web internet hosting, then you ought to possibly just settle with the cPanel world wide......
  • Review of Windows Live Writer When you find a tool that makes life easier, there is nothing more exciting. The need for corporations to simplify and systematize their processes has to do with working smart and taking advantage of things that allow workers to reach their goals without having to work quite as hard. One......
  • California Hatchery Salmon Truck Delivered To San Pablo Bay In an unprecedented step in an attempt to revive the wild California King Salmon population the nonprofit Fishery Foundation of California trucked all all hatchery raised King Salmon to the top of the San Pablo Bay. The effort took 2.5 months an involved some 20 million fish. The step was......
www.pdf24.org    Send article as PDF   

Similar Posts

See what happened this day in history from either BBC Wikipedia
Amazon Logo

One Response to “Update on Internet Explorer Zero Day exploit”

  1. Avery J. Parker - Web site hosting and computer service Says:

    [...] Earlier updates on this event on my site are here and the initial post here. [...]

Switch to our mobile site