Windows users ambushed by attack on fresh IE flaw

[DaBees-Knees]

http://www.theregister.co.uk/2009/07/06/new_microsoft_exploit_in_wild/

Thousands of websites have been hit by fast-moving exploit code that installs a cocktail of nasty malware on visitors' computers by targeting a previously unknown vulnerability in some versions of Internet Explorer.

The compromised websites link to a series of servers that exploit a zero-day vulnerability in an IE component that processes media. The vulnerability affects those using the XP and 2003 versions of Windows, Microsoft warned in this advisory.


"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user," company security representatives wrote. "When using Internet Explorer, code execution is remote and may not require any user intervention."

More than 1,000 websites have been compromised so they include links that redirect users to sites that exploit the vulnerability, according to this translation of an advisory from CSIS. The warning said Windows 2000 was also vulnerable to the attacks, contrary to Microsoft's write-up, which explicitly said 2000 was not affected.

What isn't in dispute is that IE 7 on Vista is not vulnerable, presumably because ActiveX objects are blocked by default, according to this blog entry from McAfee researchers Haowei Ren and Geok Meng Ong.

The compromised websites are largely located in China and are operated by local schools and community centers. They point to a series of links that ultimately redirect users to a server at 8oy4t.8 866.org, according to CSIS. The site includes a JPG file that exploits a variety of vulnerabilities, "including an unprecedented stack overflow in DirectShow MPEG2TuneRequest," according to CSIS. Secunia rates the vulnerability "extremely critical," the highest rating on its five-tier severity scale.

Other vulnerabilities that are exploited are known as XMLhttp.d, RealPlay.a, BBar, and the MS06-014, according to McAfee.

The new vulnerability in DirectShow is different than a DirectShow security bug Microsoft warned of in late May, a spokesman said.

Today's Microsoft advisory offers a workaround users can take to safeguard against the vulnerability until a patch is released. It involves making changes to the Windows registry, a risky undertaking for those who aren't sure what they're doing. The easier fix is to stop using IE until there's a fix, at least for those who don't use apps that are dependent on the Microsoft browser

Let's hope they pull their fingers out and get a fix.  

Addendum: Microsoft 'ignored critical IE bug for 18 months' - http://www.pcadvisor.co.uk/news/index.cfm?newsid=118770

[White Stripes]

nuff said....?

[ñòóKýçrÕôK]

No, not nuff said.    Does it tell you how many useless browser addons you need in IE to make these types of things happen? I mean comeon, how many search bars does ONE web browser need? I open IE and I know almost immediately it's an infected machine because stupid people have 10 browser search toolbars. WHY? You DON'T need them. And does it say how many settings that are set by default to protect users from unregistered, unsigned, and unguarded activeX controls? Does it say you have to be a pc using moron to go in and disable all of these protective features just to make these sorts of things possable? Does it say that all these other "safe" (keep dreaming) browsers use the same or similar settings to protect users in the same way, UNLESS some goofball user goes in and disables all of them and makes it possable on those browsers also? Fact is internet explorer has been slammed on since the dawn of its days because unknowledgable users go in and tamper with things they have no business fooling with because they have no idea WHAT they're fooling with and then you get reports "MY IE DID THIS TO ME!!".    Bullpucky n puter smoke is all it is. Use your brain and search google for browser safety and do it objectively and with an open mind and you'll find that every one of them have flaws n exploits. Only difference is IE is always the blame and the bad guy because it comes with windows as a standard and most people don't fool with anything else cause it's too much hassle.

[White Stripes]

Only difference is IE is always the blame and the bad guy because it comes with windows as a standard

actually it doesnt 'come with windows' its built into windows (go ahead... open 'my computer' and type a web address in the toolbar).... the others can be completely uninstalled should they be to the end users disliking.... only thing you can realistically do to IE (and not kill half the apps on your system.. including winmx...) is hide the IE shortcut button....

dont believe me? try uninstalling IE from add/remove programs... well... you got an older version now if you kept the backup files... but you didnt get rid of it... howbout from the 'windows components' area.... nope... that just hides the icon(s)... (start > run > iexplore and.... its back)

if IE was standalone and could be completely uninstalled without destroying windows itself then then your argument would be valid...

and no... you dont have to install toolbars to get infected... just using IEs defaults and quite often even its highest 'anal retentive' security settings is enough to get infected with many nasty things....

the department of defence has had to put their foot down many times and..... IE is still the hole in the pain in the glass.... with gaping flaws going as long as 6months unpatched.... be nice if i could just... uninstall it...

[ñòóKýçrÕôK]

Did you at least look for the flaws in the rest? Or did you just decide a closeminded blast would be better? 

[White Stripes]

plenty of flaws i the rest... i dont use firefox cos its very buggy and safari is a repackaged version of konqueror with -several- flaws... opera has holes in it... tho the version i have on windows at least doesnt have any known holes... and i 'whitelist' javascript and other 'executable' features anyway....

even shockwave flash has holes in it.... (dont have it installed on -any- platform.... its serves no real purpose anyway)

java? yep... that too... any application... esp the ones that attach to the web... has holes... im not denying that...

tho like i said... i can uninstall those.... show me again how to uninstall IE?

your argument is still invalid because of that simple fact that IE is not standalone (like the others) with uninstallation option..... IE is not an 'option'... its mandatory...

[ñòóKýçrÕôK]

My arguement is still very valid. All browsers have exploits, like I said. If it had nothing to with IE settings that allowed exploits like this to be used against a pc user then I can assure you with where I go in IE I would've been exploited a LONG time ago and still would to this day. The only time I can ever remember falling victim to a browser exploit was years ago in the IE 5 days. And guess how I made it possable. It will only take 1 guess I can assure you of that. I went into the settings and dropped the security settings to make it more convenient for me and made it more convenient to them. I never claimed you could uninstall IE so I'm not sure where that is coming from. I understand what you're saying about it not being uninstallable. I'm saying it irks to no end when you and others get on here and blast IE like it's the scurge of our time and then post your other browsers that you use like they are SO much safer when they are not. To this day I see firefox users who nievely think that they can't get into trouble using firefox, like it's flaw free when it's very far from it. This belief is due to the constant misconception given by other knowledgable users like yourself and others constantly bashing IE like it's a holy terror and then parading your browser you use like it's the greatest thing since white bread. I know you know what you're talking about. So do others and they hang on what you say. So tell them everything.

[White Stripes]

my point about IE not being uninstallable is that IE is running (and is still a potential security hole) regardless if you are using it as your default browser or not.....

examples;

the 'minibrowser' of winamp is really IE in different clothing.... if IE were not installed that would not be functional and thus not exploitable.... regardless if winamp were not (granted winamp has -very- many bugs and i urge users of that player to keep it updated) the 'victim' of the exploit it would still happen... through IE...

the 'update' bar of winmx... again IE in different clothing... the community patch luckily feeds it an internal XML page that gets its data elsewhere but 'left alone' that little snippet of a bar can be a potential explot and yet again have nothing to do with winmx being exploited.... no IE no update bar.... tho granted winmx wouldnt function very well (if at all) without IE installed....

the windows shell.... like i mentioned before.... open my computer and type a web address.... and the 'show web content on desktop' option.... even using a jpeg or gif as a wallpaper uses IE to do it.... and IIRC there was a 'jpeg bug' that didnt care what settings IE had it would exploit it... esp if the image were stored locally... if the shell wasnt based on IE this would not be a problem.... (technical note: IE is used to show jpegs and gifs on the desktop because the only native format that windows itself supports for wallpaper/desktop images is the oldschool bitmap format (.bmp)... this has changed in vista... but remains in XP and earlier versions)

-entirely- changing the shell so that IE isnt used at all takes a -lot- of 3rd party utilities and registry tweaks.... so its not for the faint of heart.... and it still doesnt get rid of the application dependencies on IE....

the 'help' system.... .chm files... an "acronym" for 'compiled html' (IIRC) is just that.... help files that use html and in turn IE in yet -another- form.... remember the macro viruses for ms word?... howbout pdf files with viruses? ms word and adobe acrobat arent mandatory... but IE is...

theres my (and many IT personell's) bottom line 'beef' with IE.... its not just a browser that can be uninstalled and switched away from at the users whim.... its an unnecessarily integral part of the OS that a bug 'in the wild' can exploit at many points... not just the "browser" part of it....

one single flaw + multiple points of entry = a security nightmare...

[ñòóKýçrÕôK]

Correct me if I'm wrong but wasn't IE made a seperate process with IE7? IE7 and up if you type a url in windows explorer it doesn't open the web page in windows explorer. Windows opens it an IE instance and navigates via the IE process. In task manager Internet Explorer is no longer the explorer.exe process. It is iexplore.exe. IE7 and IE8 are no longer an integrated part of windows explorer. The rest of that I do believe you are right like the browser in winamp IS IE in just a different dressing. Like I said, correct me if I'm wrong but I think it's different now. In which case if it is it would mean you would be doing yourself a favor if you can upgrade to 1 of those version if for no other reason that to seperate the processes. Then you could choose to NOT use it if you wished. Btw I'd recomend IE7 vs IE8. I'm using IE8 and it's still very buggy.

[ñòóKýçrÕôK]

With IE7 the "Windows Explorer" and "Internet Explorer" integration is
gone. WHy have they done that? In the XP "Windows Explorer" one could
enter an URL inside the "file mangager" and get the web-page to the
right (the same way as the file list), still keeping the folder-tree
to the left. With IE7 installed it just opens up a new IE7

I found that at http://www.winvistatips.com/ie7-windows-explorer-and-internet-explorer-integration-gone-t303676.html

As for removing IE from Windows even that has been changed.

Internet Explorer removal has changed over its version history, but the nature of many of its upgrades and installation methods has been source of public interest. The first version to be included was version 2 with Windows 95 in late 1996. Later, users who upgraded to IE3 (which came out in 1996), could still use the last IE, because the installation converted the previous version to separate directory.[1]

However, Internet Explorer 4 created a controversy with its shell integration with Windows Explorer, and with later versions removal (or inability to do so) became more complicated. The idea of removing Internet Explorer from a Microsoft Windows operating system was proposed during the United States v. Microsoft case. Later, some security advocates took up the idea as a way to protect Windows systems from attack via IE vulnerabilities. By the release of Internet Explorer 7, some of the shell integration began being reduced, such as changing ActiveX hosting and a different look than Windows Explorer.

As of build 7048 of Windows 7, Microsoft added the ability to safely remove Internet Explorer 8 from Windows.[2] Microsoft does not allow the dependencies to be removed through this process, but the Internet Explorer executable (iexplore.exe) is removed without harming any other Windows components.
Internet Explorer removal has changed over its version history, but the nature of many of its upgrades and installation methods has been source of public interest. The first version to be included was version 2 with Windows 95 in late 1996. Later, users who upgraded to IE3 (which came out in 1996), could still use the last IE, because the installation converted the previous version to separate directory.[1]

However, Internet Explorer 4 created a controversy with its shell integration with Windows Explorer, and with later versions removal (or inability to do so) became more complicated. The idea of removing Internet Explorer from a Microsoft Windows operating system was proposed during the United States v. Microsoft case. Later, some security advocates took up the idea as a way to protect Windows systems from attack via IE vulnerabilities. By the release of Internet Explorer 7, some of the shell integration began being reduced, such as changing ActiveX hosting and a different look than Windows Explorer.

As of build 7048 of Windows 7, Microsoft added the ability to safely remove Internet Explorer 8 from Windows.[2] Microsoft does not allow the dependencies to be removed through this process, but the Internet Explorer executable (iexplore.exe) is removed without harming any other Windows components.

Removing
It is unclear what it means to "remove IE" because such a removal depends on being able to determine which files or functions on an installed Windows system are part of IE — that is, to draw a line between IE and the rest of Windows. Microsoft has held that this is not meaningful; that in Windows 98 and newer versions, "Internet Explorer" is not a separate piece of software but simply a brand name for the Web-browsing and HTML-displaying capacities of the Windows operating system. In this view, the result of removing IE is simply a damaged Windows system; to have a working system without IE one must replace Windows entirely.

It is possible to remove Internet Explorer from Windows 95 after installing, as well as before install time. Removing Internet Explorer from Windows 2000, Windows XP and Windows Server 2003 is also possible at installation time.

In contrast, some programmers and security writers have held that it is possible to have a useful and working Windows system with IE excised, that is, without Microsoft's implementation of web browsing and HTML viewing. These people include consultant Fred Vorck, who advocates that consumers should have the choice to remove "integrated" features of Microsoft Window and participates in the HFSLIP project; Dino Nuhagic, who is the creator of nLite — a product that allows users to remove Windows components like Internet Explorer and Windows Media Player, amongst others; and Shane Brooks, who created 98lite and XPLite to remove and manage Windows components after the installation of the operating system. Some people have suggested the use of alternative browsers instead of Internet Explorer, to try reduce the risk of vulnerabilities.

Found that at http://en.wikipedia.org/wiki/Removal_of_Internet_Explorer

[White Stripes]

Microsoft does not allow the dependencies to be removed through this process

just removing iexplore.exe does nothing.....

In contrast, some programmers and security writers have held that it is possible to have a useful and working Windows system with IE excised, that is, without Microsoft's implementation of web browsing and HTML viewing.

mshtml.dll and related .dlls (things like pngfilt.dll and msxml.dll) is IE not iexplore.exe... iexplore.exe is just another one of those 'skins' for the components...

and yes... it is indeed entirely possible to remove those components.... but like i said a few posts back... it would 'break' half (or more) of the applications on your computer that depend on IEs functionality.... including the .chm help file system....


a 'trick' that you and anyone else can do.... what version of ie do you have installed? you can check that in help > about internet explorer (may be a different method for different versions to get the exact version number) .... make note of the rather long version number in that box.... or leave it open if you wish....

now open a file search and search for 'mshtml.dll' .... there will be multiple copies show up... make sure to select the one thats in your windows installation directory.... now right click that file and select 'properties' then click the version tab.... same version number? .... if some hotfixes have been installed the very last number behind the last dot may be different but that file is the 'beginning' of the real IE thats installed on your system.... if you still have the backup files created by hotfix installs then one of the mshtml.dll files in the backups will have the same exact version number as shown in the interface....


also; AVG8, google talk, AIM, YIM and of course MSN also use IE (mshtml) as their interface (even if in part)... theres sommore attack vectors and apps that would 'break' if IE were completely removed....

[ñòóKýçrÕôK]

Interesting stuff. And I thank you now for if not the whole story, at least the biggest part of it. 

[Cobra]

only thing you can realistically do to IE (and not kill half the apps on your system.. including winmx...) is hide the IE shortcut button....

Don't forget blocking it with your firewall. My firewall alone has saved me many times from what might have resulted in potential harm to my system.

[White Stripes]

Don't forget blocking it with your firewall.

that would definitly help but not entirely... like i said 'iexplore.exe' is -not- IE... its just -one- of its interfaces...

[Forested665]

so much to read.......

If you take a gander at flash for IE or hps "install now" function, you get an active x control request.. click run activex control and it starts installing the driver or program...

[Bluey_412]

And for every Hole you try to plug with hotfixes, you create 2 more....

Thats a natural law!

'Thing is, everyone needs a browser, and the alternates aint much better, if at all, than IE.

The rest is just M$ bashing...

[White Stripes]

http://psi.secunia.com

install that then look at the 'secure browsing' tab... no ms bashing included... what you see is what they got from binary analisis and other reports... IE6 (last version available to the 'masses' has an unpatched hole with no patch available... secuna advises to avoid it because of this... the opera install on my windows box has no known holes, and  yes i said 'known'... no ms bashing... going by whats really there...)

--edit addendum;

and you seem to have forgotten my point that IE is not removable/uninstallable....