Tuesday, March 9, 2010

Patch Tuesday, and a Zero-Day attack against IE6/7

Today is Patch Tuesday. I patched my main XP workstation and it did not require a reboot. The SANS page March 2010 - Microsoft Patch Tuesday Diary is rating one of the two patches CRITICAL but not PATCH NOW. The CRITICAL patch affects Excel, so if you don't use Excel much, wait a few days before patching.

ZDNet's Zero Day blog has details of a recent Microsoft Security Advisory. If you use IE to browse the Internet (Mozilla's Firefox web browser is much safer) and can upgrade to IE8 (Windows 2000 users cannot), do so. If you don't use IE except to do Windows Updates, don't bother.

New Microsoft IE zero-day flaw under attack | Zero Day | ZDNet.com
A zero-day (unpatched) vulnerability in Microsoft’s Internet Explorer is being exploited in the wild, the company warned in an advisory issued today.

On the same day it issued software fixes as part of its Patch Tuesday schedule, Microsoft released a pre-patch advisory to warn of the risk of remote code execution attacks against users of IE 6 and IE 7.

From the advisory:
Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Microsoft said it was aware of targeted attacks attempting to use this vulnerability. No other details on the attacks were offered.

Update Thu 11 Mar 2010 10:18 MST: The exploit is not only in the wild, it has now been built in to the hacker/security toolkit Metasploit, which means we can expect many more malicious websites to start using it.

IE zero-day flaw leaks out; Exploit code published | Zero Day | ZDNet.com
Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code. The exploit code, which provides a clear roadmap to launch drive-by download attacks against IE 6 and IE 7 users, is being fitted into the Metasploit point-and-click tool.

... the availability of public exploit code is sure to light a fire and raise the likelihood of an emergency update before next month’s Patch Tuesday.

No comments: