Microsoft Warns of New Video ActiveX Vulnerability 146
ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."
Isolate! (Score:4, Interesting)
Once again the problem here is too tight integration with other part's of the OS. Yeah, IE is the most used browser and as such a major target for exploits, but some separation from other parts of OS wouldn't do any harm. Or atleast make it optional to use such; You won't be automatically affected by Flash or PDF exploits if you choosed not to install those. Just another reason to use alternate browsers like Opera [opera.com] or Firefox [mozilla.com], seeing it only affects IE users.
That being said, you dont need admin priviledges for some malware to do its job, botnets and such easily run within user priviledges aswell. Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it.
The fun thing is, there always seem to come exploits for IE and Firefox. Very rarely for Opera. That makes me think they've made some good fundamental decisions on design and programming and know how to secure code from exploits, specially because they have major marketshare (better than IE actually) in CIS countries like Russia and Ukraine [opera.com] and you would be thinking the local hackers would be trying to break it apart and exploit every possible thing on it. Hats off to them, really.
With these ages, isolating browser from the OS and even virtualizing it in its own environment that's cleaned when browser is closed starts to be a must, and I dont really see why they aren't doing it already. It would save people from so many trouble, and wouldn't affect performance at all.
Re:Isolate! (Score:5, Interesting)
Internet Explorer 7.0 and 8.0 already do this in Vista. By default it runs in a double sandbox where even if the current user has admin privileges the process runs as a standard user that is further constrained to only be able to read certain parts of the file system but not write. Anything beyond that requires negotiation via a specific broker process just to attain a level of security equal to that of a standard constrained user.
These types of vulnerabilities affect all browsers. ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera. It is simply an object model for loading native plug-ins into the process. That plug-in runs in-process with the same rights and privileges as the hosting process. If there is a vulnerability in a PDF plug-in on Linux then it can be exploited through Firefox and there is nothing Firefox or Opera can do to prevent it and it would likely affect all browsers equally.
I agree that the answer appears to be to isolate and constrain. That is what Microsoft has done and Google is following suit. That is why this vulnerability does not affect Vista or Windows Server 2008, or rather an exploit for the vulnerability is neutered by the fact that once it has broken in it cannot do anything malicious.
Re: (Score:1)
Re: (Score:2)
There is NO good reason to use Vista, unless you have a tablet PC.
I still use Windows 2000 on my Surfing/Gaming system; so far, I've only had to use my dual boot to XP for 2 games, everything else works perfect.
Really want to be safe, and have all the bells and whistles? Windows Server 2008. It Rocks.
Re: (Score:2)
So I guess you don't use any Operating System then?
Re: (Score:2, Funny)
So I guess you don't use any Operating System then?
No, He prefers to communicate using God's language, machine code.
Re: (Score:2)
It is just that I'm not aware of any Operating System / Browser combination which does not do anything with the kernel. Just plain image download makes heck load of calls to the kernel. Well, maybe there is browser for DOS...
But I'm sorry. I'm just being a jackass and having a bit of fun here :)
Re:Isolate! HA! (Score:4, Insightful)
Another reason to not use ActiveX and NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE.
Um, what? This has nothing to do with the kernel.
This is another reason NOT to use Vista.
How so? Vista is secure from this, its XP thats vunerable.
Where are my mod points?
It seems they got lost about a month or so ago and never came back.
With posts like this, I can see why.
Re: (Score:2)
Clarification - Maybe not this one, however: Using ActiveX allows system access
Ever heard the phrase "ActiveX kernel mode"?
1) Your links are worthless and have no basis to support your insane claim.
2) ActiveX can only access the Win32 Kernel, not the NT kernel. Win9x has been dead for 10 years, time for you to realize this.
3) Any other exploit that can 'escalate' via overflow and memory address usage is negated by Vista and Win7 via the protected mode of the IE on the OS that cuts the ActiveX ties, and what
Re: (Score:2)
I believe you're forgetting something, and I'm sure you forgot this by design, MacOS and Safari. That combination doesn't even require anti-virus (or anti-anything for that matter) to safely browse the net, or use email, view pdfs, etc. And before you go off listing all your comforting reasons WHY Mac/Safari is safer, I'll ask "Who gives a shit WHY? It just is and has been
Re: (Score:2)
When using a LiveCD even if the OS is breached a reboot puts you right back where you were without any infection that might have occurred
Well you make a good point if you want to play 'gotcha'. However, you forget that the default model that Windows works with, offers these features inherently without having to run the OS from a write protected image.
With NTFS's cop on write features and journalling, the OS and volume can be rolled back, which means you don't have to run from a non-write OS construct and st
Re: (Score:2)
Re: (Score:2, Troll)
These types of vulnerabilities affect all browsers.
Except those which do not run on operating systems that do not have Active X?
Re: (Score:2)
Mod parent down, and read grandparent quote context:
>> These types of vulnerabilities affect all browsers. ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera. It is simply an object model for loading native plug-ins into the process.
Therefore the parent's argument becomes:
>> Except those which do not run on operating systems that do not have Active X OR A NSAPI STYLE PLUG-IN LOADER?
Or more simply:
This type of exploit could only affect browsers other t
Re: (Score:2)
There is a difference - attack surface (Score:5, Informative)
It is true that an ActiveX and NSAPI plug-ins are both native code and can have the same risks. But the big difference is attack surface. Code needs to very explicitly be written as a NSAPI plug-in. However, most Windows components are by default a COM object, and perhaps controlable by Internet Explorer if the developer so chooses (traditionally referred to as an ActiveX control).
So a typical Firefox installation may have a half dozen or so plugins available, and they may have vulnerabilities. But a typical IE installation has literally thousands of COM objects at its disposal (A bare Windows XP installation has over 2500 COM objects). And those objects may have vulnerabilities as well.
So play the numbers. IE's close integration with the OS means that it has a larger attack surface. While isolation and privilege separation is a good idea, the actual reason that Vista and 2008 are unaffected are *not* because of low-rights IE. IE on those platforms treats the ActiveX interaction required by the exploit as "unsafe" and is blocked. (Rather than allowing the exploit to occur but "neutering" it by giving it low rights).
Re: (Score:3, Informative)
The vulnerability here comes from, NOT necessarily the oodles of known COM libraries on every Windows system. It isn't REALLY about the fact that you can CreateObject("COMObject.OfMyChoice") on these already known objects... it's all that wrapped together with a COM object that has a
Informative? More like "+1, Sounds Kinda Right." (Score:2, Informative)
Wrong on two counts:
1. Every ActiveX object is a COM object, but not every COM object is an ActiveX object. This is not a pedantic distinction.
2. IE is no more integrated with the OS than Webkit is in KDE: the rendering libraries are considered part of the OS, and the plugin mechanism previously discussed operates there as well.
Please know more about the technology before making unfounded assertions.
Re: (Score:2)
Not all of those objects are marked safe for scripting and/or safe for initialisation (or implement IObjectSafety), and do you think they're all signed? Thus most of them will not load and run automatically. I'm not being cavalier, but it's not as bad as you're trying to paint it.
Re: (Score:2)
You are correct. My original post was a bit over-simplified. Out of the COM objects that comes with Windows XP, about 350 of them are marked Safe for Scripting, and almost 250 of them are marked Safe for Initialization with a pretty large, but not complete amount of overlap between the two properties. That's still orders of magnitude larger than the plug-in attack surface of a browser like Firefox.
And even the objects that are not Safe for Scripting or Init cannot be discounted. Some objects cause IE t
Re: (Score:2)
I go to a web site and it crashes my browser. I go there again and it crashes a second time. Ok, I won't go there. Probably good as the site is either compromised or actively attacking me. Probably better that my browser crashes than shows a web page that allows me to enter my credit card details as part of a purchase. /playing devil's advocate
Re: (Score:2)
How do you know that the browser crashed and not, say, launched a keylogger in its place?
Re: (Score:2)
ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera.
ActiveX can load remote applications. Its primary purpose is to run someone else's code on your computer.
NSAPI can not do that. It's an internal interface in a library.
Now, shut up, moron.
Re: (Score:2)
Plugins are pieces of software that user installs. If they are supposed to run in a sandbox, so does the browser itself. Web page author can't even force the content to be displayed with a PARTICULAR plugin -- at best he can tell the user to install something, and user is free to install a completely different implementation without as much as letting the server know what it is.
Re:Isolate! (Score:4, Insightful)
You have to take a look at your market to distribute your virus too. Sure, Opera might have more market share in Russia and the Ukraine, but it's still tiny [wikipedia.org] overall.
By attacking IE only, you get 65%, include Firefox, and you're staring at 87% of the browsers in total use. You could target certain countries if you wanted to, but for most malware writers it's pure numbers, and it doesn't matter where they come from. I don't know if Opera is designed/written any better... but I can reasonably assume that it's not being targeted as intensely as IE/FF. I'm not taking my hat off to them until they lock down enough worldwide market share to become worthy of being targeted.
I totally agree that the browser shouldn't be so integrated with the operating system. As a rule, we all know that you don't put yourself out on the public internet... Why have a utility that's part of the OS reach out and grab stuff from there? But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.
Re: (Score:2)
But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.
However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser, and when done good the extra CPU usage and such is just minor. Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to sav
Re: (Score:3, Insightful)
However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser...
Have you spent a lot of time managing virtual applications? If so, you already know that managing the virtualized application is not trivial. Especially if you have plugins. Adding a plugin (currently) requires reworking the virtual application's package. This has been due to change for years, but I haven't witnessed this in practice yet.
Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to save all the temp data, cookies and such which would be even more restricted and hence could be sustained thru different browser sessions too.
Of course, as it stands right now, we have a few browsers that support private browsing. That does prevent much of the data picked up from getting saved. I don't know
Re: (Score:2)
totally agree that the browser shouldn't be so integrated with the operating system. As a rule, we all know that you don't put yourself out on the public internet...
This is why IE was severed from the OS in Vista and Win7. In Vista, it plays no role in anyting but browsing or being called by 3rd party applications and still it remains a protected process with reduced security access.
It no longer runs in conjunction with Explorer or has any OS level ties as it did in XP. (This is why Web Destkop was also
Re: (Score:2)
Re: (Score:3, Funny)
I don't know, but I bet that the Phantom wouldn't like it.
Re: (Score:3, Informative)
Re: (Score:1)
Flashblock will go a long way towards mitigating the flash attacks, and it generally improves the browsing experience (people way into YouTube or such may have to do a little whitelisting).
PDF is a problem, but I actually prefer setting it to launch an external app and turning off javascript mitigates most of the threats there (as does being up to date). Running Foxit or Sumatra should cut off even more attacks.
Re: (Score:2)
I've never had any problems with viruses, and very, very little malware.
Re: (Score:2)
Re: (Score:2)
Flashblock will go a long way towards mitigating the flash attacks, and it generally improves the browsing experience (people way into YouTube or such may have to do a little whitelisting).
I use it solely to prevent videos from downloading immediately.
Re: (Score:2)
Re: (Score:2)
but frankly that makes for an incredibly sucky web experience
It is actually not so bad all things considered. Most of us tend to visit the same groups of sites most of the time so once the whitelist script permissions are dialed in one very rarely needs to touch NoScript again and even then the interface with FireFox is easy to use with the notification and task bars available for right click permission tweaking. Other plugins can also be combined with NoScript for even more fine grained control. For example I like to use Adblock Plus, NoScript, and Flashblock in com
Re:Isolate! (Score:4, Insightful)
Isolation only helps so much. Given that a lot of interesting malware targets (online banking, paypal, amazon, ebay...) are used exactly with the same browsers that would execute the malware, containing it to the browser doesn't really help a lot. You'd have to disallow the browser to make changes to itself. And, while sensible, this would not be very popular with a lot of people who want to "click and install".
Don't use the same browsers then. (Score:2)
Then log in as your main (non-admin) user, and use browsers running as the different users for different things. For example, you have different browsers for bank stuff, shopping, normal browsing (google, slashdot etc), and less trusted browsing (which is set to be the "default browser" - what launches when you click on a link in an email etc).
Let the main user have access
Re: (Score:2)
What I have done sometimes is using VirtualPC and a generic XP VM for Web browsing. VirtualPC may not have the advanced features of heavy snapshotting or clustering, but the functionality it has for storing a change log, and dumping all changes immediately when the VM closes is good enough. Add to this running the Web browser under a limited user in the VM, and this narrows down the attack surface quite a bit. Should malware get on the VM, all it will see on the VM's local network segment is the VirtualP
Re: (Score:2)
Like I said, use different browsers for different things. Stick to doing bank stuff with a browser that's dedicated for $$$ stuff.
You don't have to run everything in one browser whether it's sandboxed or not.
You can launch multiple instances of IE running as different users.
Re: (Score:2)
The thing is, how are the browser instances connected? If two use the same chunk of the filesystem, a compromised instance can sit watching what is downloaded, and as soon as an executable is copied, and add a payload.
There are a number of race conditions an infected instance can do, from adding a redirect site to bookmarks stored to grabbing session authorization cookies, to altering cached files so when a clean browser instance hits a cache, it picks up an infected object which would compromise the new i
O/S enforced (Score:2)
There is already this security mode, it's called running stuff as a different user. The browsers would be running as different (limited/restricted) users.
The operating system enforces the separation. If you find a problem with the separation, then that's a huge bug in the OS. Ever since the 1960/70s users in proper multi-user O/Ses cannot access each others files, data and processes, unless the permissions are explicitly granted.
The browser executables are only writable by the admin/system. So they won't be
Re: (Score:2)
If you're tech savvy enough for this solution, you probably don't need it because you're also tech savvy enough to either not click on dancing pigs or use Linux altogether.
Re: (Score:2)
I do that anyway.
Because:
1) I don't trust either IE or Firefox to be secure enough.
2) I don't use AV software for my machines - AV software is getting crappier nowadays, it's getting harder to tell whether a machine is infected by malware or crappy AV software.
e.g. Lots of things running slower? System instability? Weird/dubious shit happening[1]? Hard to uninstall the crap? All of the previous?
BTW both Symantec and McAfee recently agreed to settle charges that they automatically charged customers software
Re: (Score:2)
From a technical viewpoint, a Windows machine with a halfway decent administrator is 100 times more secure than a Linux box with someone who has no idea of security (or Linux, for that matter) at the helm. But that's a technicality, no pun intended.
What matters is that there is simply no market for Linux mass malware. Conficker and its cousins don't exist on Linux. Why? Same reason why there is more commercial non-malware software for Windows than for Linux: No market share. Should Linux ever make it into t
Re: (Score:2)
Did you actually even read the whole sentence or are you making a joke? :)
"Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it."
Also, SELinux is not something standard that comes along every kernel, and even if not via exploits, it would happen via user stupidity, which would be there when masses start using linux on desktop.
Re: (Score:2)
Then those people should read the source, or ask/hire someone they DO trust to do it for them.
Oh well. (Score:4, Funny)
affecting IE users on XP
Good thing none of them read Slashdot.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Its funny, I'm forced to run XP w/ IE6 at my work. The client I support runs a webpage that blocks FF or other browsers by giving the "Unsupported browser" crap when you try to load the page.
Is this client bankrupt?
Re: (Score:3, Informative)
iemployee.com
IE only.
Yes, I AM afraid.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Fixes (Score:2)
Luckily Microsoft reports there is a fix for this, Windows 7 is nearly here.
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:3, Informative)
here [microsoft.com] is the fix and no, it isn't "downgrading to Vista." It disables the vulnerable parts of the OS/IE.
better workaround (Score:5, Funny)
Re: (Score:3, Informative)
Re: (Score:2)
http://www.sandboxie.com/ [sandboxie.com]
Is it really that hard to create new x64 versions of programs with such functions?
I'd love to use it, but I can't as I'm running on Vista 64. So I'm stuck to running a whole VM to act as a sandbox.
Re: (Score:2)
Even better, use freaking Windows Update and install IE8, fixed...
Not privately reported (Score:3, Informative)
Securityfocus [securityfocus.com] has more details, including the secret identity of the 'private reporter'
Re: (Score:3, Interesting)
And exploit code: http://downloads.securityfocus.com/vulnerabilities/exploits/35558.rb [securityfocus.com]
Basically, it's exploiting a buffer overflow in the MSVidCtl ActiveX control. It has it load a malformed GIF which causes a buffer overflow somewhere, which then loads in shellcode.
Not much to it, really. You could make this into a static exploit if you so desired and pop it on any webpage you liked.
Workaround? That's a fix! (Score:2)
Considering how much of a security problem ActiveX is, I consider the workaround (i.e. disabling ActiveX) a very good final fix for the problem.
Re: (Score:2)
Arguably, the Netscape / Mozilla plug-in API is just as vulnerable, though at least there the user has to do something to install it. It briefly looked like MS were going to be forced to do the same thing due to a patent issue, but sadly that didn't happen:
http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx
But... (Score:2, Funny)
Re: (Score:2)
Hi, I'm a mac (Score:2, Funny)
I have nothing further to say, I just wanna stand here in my black turtle-neck with my cup of coffee looking smug. /typed on my MBP, so simma-down now fan boys... ;-P
Seriously, this exploit sucks. I've gotta patch a butt-load of computers today now. Thanks a lot MS. Anyone know if the MSI file has a silent install option? Or can it be done via GPO?
I just walked in, this smacked me right in the face this am. Damnit.
Re: (Score:2)
It would be hard to explain the real concept and danger to a Mac user and be sure the Mac users (ones not coming from win) will be member of of the "I don`t care` profile.
I speak about Virtual Machine and Boot Camp running Mac users. They have never lived the disasters like Blaster and mostly they think "I don`t pirate or porn, I should be safe". Run Windows Update on one of boot camp users machine and see yourself. Of course, I am part of "run a free AV inside virtual machine" since I had very nice (!) me
Re: (Score:2, Informative)
It can. Made the change to our GPOs, and it's rolling out now. Having an issue with terminal server users, the installer is trying to install for every user that accesses the box (as intended, I guess) but none of our users have admin rights so it's bombing out....that's a simple fix though, just exclude any terminal server you might have and patch it manually.
So, to answer my own question, yeah, it's easy to script it.
Hey now, at least they jump on the ball. (Score:1)
couldn't microsoft (Score:5, Funny)
just warn us when they have found no exploits at all?
meanwhile, we would just assume the default status is that everything is exploitable
it would cut down on the announcements by an order of magnitude
Re: (Score:3, Insightful)
In theory, they already do this on the second Tuesday of every month.
However... has there ever been a Microsoft patch Tuesday that hasn't had any patches? I'm going to tentatively say "No"...
Re: (Score:2)
And even if it happened, wouldn't the safe assumption be that the patch system had a bug or was exploited?
Re: (Score:2)
Pity there's no +1 Amen, Brotha.
something else to be wary of (Score:2)
Media Player will try to download codecs for certain wmv files. I stick with VLC and never use wmv's. But someone I know used the wmv and downloaded the codec and got a rootkit instead. I'd not previously heard of this method of attack but it doesn't surprise me a jot.
Re: (Score:2)
Or you can just go into Tools->Options and turn off the automatic downloading of codecs. And according to the help, the user is always prompted before downloading third party codecs.
Hmm... (Score:3, Interesting)
Re: (Score:3, Insightful)
No, if IE is not running or being used, the exploit would not affect the system.
That said, this vulnerability does not affect Vista or Windows 7, or IE7/8 on those systems.
Really--people should upgrade. And furthermore, people should not disable UAC.
Re: (Score:2)
And I sincerely hope they skip Vista and go right to Win7.
Re: (Score:2)
Re: (Score:2)
Because IE is almost always shipped with Windows, other apps often use its rendering engine to display HTML - they might be also be vulnerable if they use it to display untrusted content. The advisory mentioned the Outlook Express isn't vulnerable in its default configuration because of its use of IE's "zones" feature, but that does rather im
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This office is full of people who don't know what they're doing, they just click the little yellow shield and install whatever updates are allowed to come down to it.
You lie. No $GENERIC_SLIGHTLY_DEROGATORY_TERM_REFERRING_TO_TECHNICALLY_ILLITERATE_USERS has ever pain any attention to a warning or notification that carries even the slightest bit of importance. It's the useless drivel that freezes them like deer in the headlights.
Re: (Score:2)
Active X... (Score:2, Funny)
Re: (Score:2)
Active X ...will soon be added to the Thesaurus as a synonym of "Vulnerability".
Right alone with Firefox Plugins, and any other technology that allows native code to run inside a browser.
Sometimes I wonder... (Score:2, Insightful)
It makes me wonder why any financial institution would still design their websites to require Internet Explorer and/or Active X. Seems sort of like putting up guide rails at a bowling alley and then expecting everyone to bowl gutter balls.
Re: (Score:2)
Because they (banks) are as lazy and even cheaper than many corporations today. If they can hire cheaper labor they will (and they do); expecting this cheaper labor to know about exploits; have time to learn about exploits; or to use their free time to learn about exploits in order to thwart and prevent them is a bit much.
Do not assume because you care and take the time to look at the code of every patch you download and install on your PC that others do. (Besides by definition, only open source users h
MS security is hopeless (Score:2)
Here is how to fix a security threat from MS:
Then click Run in the File Download dialog box, and follow the steps in this wizard.
Oh yes, keep teaching your users how to press "run" from web browser, even on a concept/method which was created in 2009. Let them "run" everything, for easiness. This thing happens while Apple, vendor of OS X warns user about .exe files, under Safari for OS X!
I know how their simple mind works. Now that couple of people who doesn't ignore them warned about how stupid to suggest u
Re: (Score:1, Offtopic)
My ex-wife was 'tarded. She's a pilot now.
Re: (Score:1, Funny)
Re: (Score:2)
Re: (Score:2)
hActive-X is a vulnerability. If you run Windows, you should disable it.
Re: (Score:2)
Why should Active-X be required for a patch? No other OS needs this kind of crap. Can you think of a single non-Microsoft app that requires Active-X?