Comments: 146 +- IT: Microsoft Warns of New Video ActiveX Vulnerability on Tuesday July 07, @08:34AM
Posted
by
Soulskill
on Tuesday July 07, @08:34AM
from the like-one-of-those-pothole-signs dept.
from the like-one-of-those-pothole-signs dept.
ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."
Related Stories
Nobody really knows what happiness is, until they're married.
And then it's too late.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
Isolate! (Score:4, Interesting)
Once again the problem here is too tight integration with other part's of the OS. Yeah, IE is the most used browser and as such a major target for exploits, but some separation from other parts of OS wouldn't do any harm. Or atleast make it optional to use such; You won't be automatically affected by Flash or PDF exploits if you choosed not to install those. Just another reason to use alternate browsers like Opera [opera.com] or Firefox [mozilla.com], seeing it only affects IE users.
That being said, you dont need admin priviledges for some malware to do its job, botnets and such easily run within user priviledges aswell. Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it.
The fun thing is, there always seem to come exploits for IE and Firefox. Very rarely for Opera. That makes me think they've made some good fundamental decisions on design and programming and know how to secure code from exploits, specially because they have major marketshare (better than IE actually) in CIS countries like Russia and Ukraine [opera.com] and you would be thinking the local hackers would be trying to break it apart and exploit every possible thing on it. Hats off to them, really.
With these ages, isolating browser from the OS and even virtualizing it in its own environment that's cleaned when browser is closed starts to be a must, and I dont really see why they aren't doing it already. It would save people from so many trouble, and wouldn't affect performance at all.
Re:Isolate! (Score:5, Interesting)
Internet Explorer 7.0 and 8.0 already do this in Vista. By default it runs in a double sandbox where even if the current user has admin privileges the process runs as a standard user that is further constrained to only be able to read certain parts of the file system but not write. Anything beyond that requires negotiation via a specific broker process just to attain a level of security equal to that of a standard constrained user.
These types of vulnerabilities affect all browsers. ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera. It is simply an object model for loading native plug-ins into the process. That plug-in runs in-process with the same rights and privileges as the hosting process. If there is a vulnerability in a PDF plug-in on Linux then it can be exploited through Firefox and there is nothing Firefox or Opera can do to prevent it and it would likely affect all browsers equally.
I agree that the answer appears to be to isolate and constrain. That is what Microsoft has done and Google is following suit. That is why this vulnerability does not affect Vista or Windows Server 2008, or rather an exploit for the vulnerability is neutered by the fact that once it has broken in it cannot do anything malicious.
Parent
Re: (Score:2, Troll)
These types of vulnerabilities affect all browsers.
Except those which do not run on operating systems that do not have Active X?
Re: (Score:2)
Mod parent down, and read grandparent quote context:
>> These types of vulnerabilities affect all browsers. ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera. It is simply an object model for loading native plug-ins into the process.
Therefore the parent's argument becomes:
>> Except those which do not run on operating systems that do not have Active X OR A NSAPI STYLE PLUG-IN LOADER?
Or more simply:
This type of exploit could only affect browsers other t
There is a difference - attack surface (Score:5, Informative)
It is true that an ActiveX and NSAPI plug-ins are both native code and can have the same risks. But the big difference is attack surface. Code needs to very explicitly be written as a NSAPI plug-in. However, most Windows components are by default a COM object, and perhaps controlable by Internet Explorer if the developer so chooses (traditionally referred to as an ActiveX control).
So a typical Firefox installation may have a half dozen or so plugins available, and they may have vulnerabilities. But a typical IE installation has literally thousands of COM objects at its disposal (A bare Windows XP installation has over 2500 COM objects). And those objects may have vulnerabilities as well.
So play the numbers. IE's close integration with the OS means that it has a larger attack surface. While isolation and privilege separation is a good idea, the actual reason that Vista and 2008 are unaffected are *not* because of low-rights IE. IE on those platforms treats the ActiveX interaction required by the exploit as "unsafe" and is blocked. (Rather than allowing the exploit to occur but "neutering" it by giving it low rights).
Parent
Re: (Score:3, Informative)
The vulnerability here comes from, NOT necessarily the oodles of known COM libraries on every Windows system. It isn't REALLY about the fact that you can CreateObject("COMObject.OfMyChoice") on these already known objects... it's all that wrapped together with a COM object that has a
Informative? More like "+1, Sounds Kinda Right." (Score:2, Informative)
Wrong on two counts:
1. Every ActiveX object is a COM object, but not every COM object is an ActiveX object. This is not a pedantic distinction.
2. IE is no more integrated with the OS than Webkit is in KDE: the rendering libraries are considered part of the OS, and the plugin mechanism previously discussed operates there as well.
Please know more about the technology before making unfounded assertions.
Re: (Score:2)
Not all of those objects are marked safe for scripting and/or safe for initialisation (or implement IObjectSafety), and do you think they're all signed? Thus most of them will not load and run automatically. I'm not being cavalier, but it's not as bad as you're trying to paint it.
Re: (Score:2)
So I guess you don't use any Operating System then?
Re: (Score:2, Funny)
So I guess you don't use any Operating System then?
No, He prefers to communicate using God's language, machine code.
Re:Isolate! HA! (Score:4, Insightful)
Another reason to not use ActiveX and NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE.
Um, what? This has nothing to do with the kernel.
This is another reason NOT to use Vista.
How so? Vista is secure from this, its XP thats vunerable.
Where are my mod points?
It seems they got lost about a month or so ago and never came back.
With posts like this, I can see why.
Parent
Re:Isolate! (Score:4, Insightful)
You have to take a look at your market to distribute your virus too. Sure, Opera might have more market share in Russia and the Ukraine, but it's still tiny [wikipedia.org] overall.
By attacking IE only, you get 65%, include Firefox, and you're staring at 87% of the browsers in total use. You could target certain countries if you wanted to, but for most malware writers it's pure numbers, and it doesn't matter where they come from. I don't know if Opera is designed/written any better... but I can reasonably assume that it's not being targeted as intensely as IE/FF. I'm not taking my hat off to them until they lock down enough worldwide market share to become worthy of being targeted.
I totally agree that the browser shouldn't be so integrated with the operating system. As a rule, we all know that you don't put yourself out on the public internet... Why have a utility that's part of the OS reach out and grab stuff from there? But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.
Parent
Re: (Score:2)
But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.
However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser, and when done good the extra CPU usage and such is just minor. Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to sav
Re: (Score:3, Insightful)
However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser...
Have you spent a lot of time managing virtual applications? If so, you already know that managing the virtualized application is not trivial. Especially if you have plugins. Adding a plugin (currently) requires reworking the virtual application's package. This has been due to change for years, but I haven't witnessed this in practice yet.
Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to save all the temp data, cookies and such which would be even more restricted and hence could be sustained thru different browser sessions too.
Of course, as it stands right now, we have a few browsers that support private browsing. That does prevent much of the data picked up from getting saved. I don't know
Re: (Score:2)
Re: (Score:3, Funny)
I don't know, but I bet that the Phantom wouldn't like it.
Re: (Score:3, Informative)
Re:Isolate! (Score:4, Insightful)
Isolation only helps so much. Given that a lot of interesting malware targets (online banking, paypal, amazon, ebay...) are used exactly with the same browsers that would execute the malware, containing it to the browser doesn't really help a lot. You'd have to disallow the browser to make changes to itself. And, while sensible, this would not be very popular with a lot of people who want to "click and install".
Parent
Don't use the same browsers then. (Score:2)
Then log in as your main (non-admin) user, and use browsers running as the different users for different things. For example, you have different browsers for bank stuff, shopping, normal browsing (google, slashdot etc), and less trusted browsing (which is set to be the "default browser" - what launches when you click on a link in an email etc).
Let the main user have access
Re: (Score:2)
Did you actually even read the whole sentence or are you making a joke? :)
"Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it."
Also, SELinux is not something standard that comes along every kernel, and even if not via exploits, it would happen via user stupidity, which would be there when masses start using linux on desktop.
Oh well. (Score:4, Funny)
affecting IE users on XP
Good thing none of them read Slashdot.
Re: (Score:2)
Its funny, I'm forced to run XP w/ IE6 at my work. The client I support runs a webpage that blocks FF or other browsers by giving the "Unsupported browser" crap when you try to load the page.
Is this client bankrupt?
Re: (Score:3, Informative)
iemployee.com
IE only.
Yes, I AM afraid.
Fixes (Score:2)
Luckily Microsoft reports there is a fix for this, Windows 7 is nearly here.
Re: (Score:2, Informative)
Re: (Score:3, Informative)
here [microsoft.com] is the fix and no, it isn't "downgrading to Vista." It disables the vulnerable parts of the OS/IE.
better workaround (Score:5, Funny)
Re: (Score:3, Informative)
Re: (Score:2)
http://www.sandboxie.com/ [sandboxie.com]
Is it really that hard to create new x64 versions of programs with such functions?
I'd love to use it, but I can't as I'm running on Vista 64. So I'm stuck to running a whole VM to act as a sandbox.
Not privately reported (Score:3, Informative)
Securityfocus [securityfocus.com] has more details, including the secret identity of the 'private reporter'
Re: (Score:3, Interesting)
And exploit code: http://downloads.securityfocus.com/vulnerabilities/exploits/35558.rb [securityfocus.com]
Basically, it's exploiting a buffer overflow in the MSVidCtl ActiveX control. It has it load a malformed GIF which causes a buffer overflow somewhere, which then loads in shellcode.
Not much to it, really. You could make this into a static exploit if you so desired and pop it on any webpage you liked.
Workaround? That's a fix! (Score:2)
Considering how much of a security problem ActiveX is, I consider the workaround (i.e. disabling ActiveX) a very good final fix for the problem.
Re: (Score:2)
Arguably, the Netscape / Mozilla plug-in API is just as vulnerable, though at least there the user has to do something to install it. It briefly looked like MS were going to be forced to do the same thing due to a patent issue, but sadly that didn't happen:
http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx
But... (Score:2, Funny)
Hi, I'm a mac (Score:2, Funny)
I have nothing further to say, I just wanna stand here in my black turtle-neck with my cup of coffee looking smug. /typed on my MBP, so simma-down now fan boys... ;-P
Seriously, this exploit sucks. I've gotta patch a butt-load of computers today now. Thanks a lot MS. Anyone know if the MSI file has a silent install option? Or can it be done via GPO?
I just walked in, this smacked me right in the face this am. Damnit.
Re: (Score:2, Informative)
It can. Made the change to our GPOs, and it's rolling out now. Having an issue with terminal server users, the installer is trying to install for every user that accesses the box (as intended, I guess) but none of our users have admin rights so it's bombing out....that's a simple fix though, just exclude any terminal server you might have and patch it manually.
So, to answer my own question, yeah, it's easy to script it.
couldn't microsoft (Score:5, Funny)
just warn us when they have found no exploits at all?
meanwhile, we would just assume the default status is that everything is exploitable
it would cut down on the announcements by an order of magnitude
Re: (Score:3, Insightful)
In theory, they already do this on the second Tuesday of every month.
However... has there ever been a Microsoft patch Tuesday that hasn't had any patches? I'm going to tentatively say "No"...
Re: (Score:2)
And even if it happened, wouldn't the safe assumption be that the patch system had a bug or was exploited?
Re: (Score:2)
Pity there's no +1 Amen, Brotha.
something else to be wary of (Score:2)
Media Player will try to download codecs for certain wmv files. I stick with VLC and never use wmv's. But someone I know used the wmv and downloaded the codec and got a rootkit instead. I'd not previously heard of this method of attack but it doesn't surprise me a jot.
Re: (Score:2)
Or you can just go into Tools->Options and turn off the automatic downloading of codecs. And according to the help, the user is always prompted before downloading third party codecs.
Hmm... (Score:3, Interesting)
Re: (Score:3, Insightful)
No, if IE is not running or being used, the exploit would not affect the system.
That said, this vulnerability does not affect Vista or Windows 7, or IE7/8 on those systems.
Really--people should upgrade. And furthermore, people should not disable UAC.
Re: (Score:2)
And I sincerely hope they skip Vista and go right to Win7.
Re: (Score:2)
Re: (Score:2)
Because IE is almost always shipped with Windows, other apps often use its rendering engine to display HTML - they might be also be vulnerable if they use it to display untrusted content. The advisory mentioned the Outlook Express isn't vulnerable in its default configuration because of its use of IE's "zones" feature, but that does rather im
Active X... (Score:2, Funny)
Sometimes I wonder... (Score:2, Insightful)
It makes me wonder why any financial institution would still design their websites to require Internet Explorer and/or Active X. Seems sort of like putting up guide rails at a bowling alley and then expecting everyone to bowl gutter balls.
Re: (Score:2)
hActive-X is a vulnerability. If you run Windows, you should disable it.