Attacks Against Unpatched Microsoft Bug Multiply

CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

server side scanning

[gad_zuki!]

Why dont web hosts scan for hosted vulnerabilities? I imagine a nightly clamav scan by web hosts would make all the difference in cases like these where there is no patch yet but there is an web-based exploit. Heck, some users dont even patch, as was shown by Conficker, which was patched in October and spread like wildfire in January.

Re:Active X again?

[mkavanagh2]

I believe Microsoft thinks ActiveX is sandboxing.

Full disclosure or what?

[fedxone-v86]

Why is Secunia (http://secunia.com/advisories/35798/2/) only featuring a link to the exploit of the ff3.5 0day but no link the Mozilla bugtracker?

Don't want to sound trollish but I don't really know how this whole security business works. So can anyone please explain why there is no bug report for the open source browser?

Re:Active X again?

[Penguinshit]

Sandbox?

What ActiveX needs is a pine box

Re:Firefox 3.5?

[butalearner]

Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.

That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.

Re:Firefox 3.5?

[Anonymous Coward]

That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.

False analogy. Better analogy:

    It's like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their keyless entry sytem is also flawed but luckily since fewer people drive Chevy's (and Ford drivers are usually foolish enough to park their car in front of a big warehouse with a sign that says "Not a chop shop") no one's bothered to learn how to break in to a Chevy yet.

Re:Firefox 3.5?

[recoiledsnake]

Wrong. The details are public and exploits could be happening in the wild. How do you know they're not?

From http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html [washingtonpost.com]

Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online.

Re:server side scanning

[PitaBred]

Why wouldn't you be able to? Unless you signed some agreement otherwise, or are trying for common carrier status, there's no reason you can't. There's no law against not allowing unwanted advertising to appear on your property. If a Christian site didn't want porn ads, they are not required to carry them because they carry other ads.

Re:server side scanning

[Stan Vassilev]

You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?

If you read the small print in the ToS you'll see they entitle themselves to doing anything they could imagine. Even if it was not in the ToS, adding it in there is trivial.

The reason they don't do it is one of pure economy. Integrating and running antivirus programs daily on a server is not free. It slows down the server (so they can pack less sites per server), it means license/support contracts (even if the basic software is free), means the staff spending time on integrating and supporting this feature.

At the same time, browser exploits are simply small static files that don't affect or abuse the server in question in any significant way. If they scan, it would be just to protect the site visitors, which are not a party that matters to web host providers. So, unless site owners decide they would rather take their business with a host who scans, the hosts have no interest to implement this.

Re:server side scanning

[EvilIdler]

How are web hosts going to handle dangerous files they find, if they start searching the users' stuff? That upload of the latest Conficker might not be malicious (user rents serverspace to host virus/trojan/worm research), the upload might be referenced in a database by the CMS (whoops, it's gone - does the user know how to fix the now-apparent bug in the CMS' filehandling?).

How does a virus scanner even know if the file is visible to the outside world? You have .htaccess files, scripts which may or may not display the files in an index (and it doesn't have to be anywhere near the same directory) and non-Apache/IIS systems which serve up content based on Python, Java or whatever.

Lots of issues with automated scanning/removal before you even start to consider the processing power to scan. Although that could be handled by having a reasonably beefy cluster of pure file servers which the web servers get their user directories from.

Re:Ohh noes....

[L4t3r4lu5]

It doesn't even parse correctly:

Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.

With a sandboxed version of the win32 api, which is what ActiveX is, they would be able to allow the ability to deny the internet to those with a recent version of windows and office.

To paraphrase: "IE plugins from Office won't work without Win32 API running with increased privilages"

Took me a while to work it out, though.