Update on Internet Explorer Zero Day exploit



Yesterday I mentioned a SANS report on a possible zero day exploit against Internet Explorer. Today they have more details in the handlers diary. Among other things SANS has issued a patch for it.


Essentially the zero day (or previously unknown) vulnerability deals with a .Net framework file, msdds.dll . The SANS patch disables it’s usage via ActiveX. Apparently FRSIRT revealed the exploit to the Sans institute and it can be considered a .NET exploit. It will soon be in the wild. The upshot is that a malicious website could exploit Internet Explorer to run arbitrary code on the local machine.

The file msdds.dll is typically installed with Visual Studio .NET, but other dotNET based applications may distribute the file.

Here are more details from SANS…

Typically, you will find it in
Program Files\Common Files\MicrosoftShared\MSDesigners7 .[Jordan]

Here is a list of applications that may install this component:
(Disclaimer: We can’t test them all… but it should help you prioritize)
MS Visual Studio .Net
.Net Framework 1.1
Microsoft Office (2000, 2002, XP) [Karl, Juha-Matti]
Microsoft Project
Visio [Chris]
Access 11 (2003) runtime [Scott]
ATI Catalyst driver installed by newer ATI video cards [Eric]

MSDDS.DLL is not found on Win2003 SP1 SERVER with .net installed (not Visual Studio .net). [Andy].

Not all default Office 2000 installs have msdds.dll installed. [Emmanuel] We get conflicting reports, likely due to various configuration and install choices.

The version of MSDDS.DLL installed with Office 2003 is not vulnerable.

If you test your system using the PoC exploit, please let us know if it succeeded, and what version of MSDDS.DLL you are using. Version 7.10.3077.0 may not be vulnerable (according to Secunia and our testing). [Juha-Matti]

Version 7.0.9064.9112 is vulnerable [Gilles].

Further they suggest workarounds…

Other Mitigation Techniques:
– Use a Non-ActiveX aware browser (Firefox, Opera…)
– remove the vulnerable DLL. (we do not know what will break as a result)
– this issue can be blocked by setting the ‘kill bit’ for the respective DLL. Using a registry editor, set: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\EC444CB6-3E7E-4865-B1C3- 0DE72EF39B3F\Compatibility Flags=0x00000400″ [Jerry] I added a space in the key to avoid the above mentioned content filter rule [John].

They also suggest blocking the following string at the proxy level for those with the capability to do so…

EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F (all (dash) should be substituted with – )

One final note from Incidents.org on the issue…

MSDDS Trivia:
– MSDDS stands for “Microsoft Design Tools – Diagram Surface”.
– you sometimes may find the (wrong) spelling of msdss in earlier versions of our diaries.

Secunia has an advisory on the issue.

Further, The SecurityFix has an update on the issue pointing to the SANS patch and suggesting the best workaround is to NOT USE INTERNET EXPLORER.

   Send article as PDF   

Similar Posts