Vulnerability

Microsoft said today it will issue an out-of-band patch tomorrow for a vulnerability in Internet Explorer 6 and 7 that is being actively exploited. “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” Microsoft said in its Security Advisory 981374 earlier this month. ...

Last month, Microsoft sent flowers to a mock funeral for Internet Explorer 6, in a show of support for the ideal that the old browser should be declared defunct worldwide. But for a few years yet, the company is still bound to support the product for those users (generally businesses) who refuse to upgrade it. That’s why new exploits that continue to target old browsers, such as IE6 and IE7, continue to get attention even a full year after the proper security fix — IE8 — has been deployed. ...

Hi folks, One of our researchers recently discovered that the Liberty exploit kit included a fairly new exploit from November 2009 … http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867 . The fact that there was something fairly new in terms of exploits was interesting to start with, but then we looked at the text on the exploit page…. Lehman Brothers?! Coffee Party??!! Holy Activists, Batman!!! It’s politically motivated!!!! Then we looked at the stats page (all these toolkits come with a sophisticated admin page), and saw that the top referrer was ad.yieldmanager.com! Holy Advertisers, Batman! Activists who know how to use exploit kits, _and_ the ad network!!! ...

BürgerCERT, Germany’s government information security organization, is recommending that Web users NOT use the Firefox browser until Mozilla fixes a vulnerability in it March 30. No malicious use has been found yet, however a researcher posted proof-of concept code for exploiting the previously unknown vulnerability. A malicious operator could use the vulnerability to run arbitrary code. Mozilla is expected to post version Firefox 3.6.2 to fix the problem. In January, the governments of France and Germany urged users to stop using Microsoft’s Internet Explorer browser until the company fixed the vulnerability that was blamed, at least in part, for the attacks from China on Google and more than two dozen other companies. ...

Charlie Miller, Principal Analyst at Baltimore, Md.-based security firm ISE, has made news in the last two days saying that he found 20 perviously-unknown security vulnerabilities in Apple’s OS X operating system. News stories seem to anticipate that he will reveal them at the CanSec West conference next week in his talk “Babysitting an Army of Monkeys: An Analysis of Fuzzing 4 Products with 5 Lines of Python.” However, Miller tweeted: “To be clear, I’m not revealing 20 apple bugs at #cansec, I’m revealing how I found 20 apple bugs.” ...

Apple yesterday released a huge Safari update that fixes 16 vulnerabilities – six for Windows versions and ten for Mac OS X and Windows. The update, Safari 4.0.5, makes fixes in Tiger, Leopard, Snow Leopard and Windows versions. This is probably pretty significant. In November, the TheInquirer.net of the UK carried a piece about browser vulnerabilities that rated Firefox and Safari as the ones with the most vulnerabilities: ...

Hot on the heels of the Patch Tuesday announcements yesterday, came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806). Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link. ...

Exploit code for the the zero-day vulnerability in Internet Explorer has been added to the Metasploit framework. According to an email HD Moore wrote to ZDNet’s Ryan Naraine, the exploit works quite reliable – successful 50% of the times on Windows XP with SP2 and SP3 with IE7 and deactivated Data Execution Prevention (DEP). The security hole got reported yesterday on Microsoft’s March 2010 Patch Tuesday. Drive-by-Download-Exploits are likely to appear now as the Metasploit framework is open source and the exploit can now be abused even by script kiddies. Time to change the default browser – Microsoft just released a new browser choice screen which allows for exactly that! ...

Here’s a new vector: exploiting a Windows vulnerability through an Internet Explorer help menu Visual Basic script: “get ‘em to hit F1 and you own ‘em.” Microsoft is warning of a VBScript vulnerability in Internet Explorer (on Win2K, XP and Server03) that could be used to run malicious code. A malicious operator could create a web site that displays a specially crafted dialog box and prompts a victim to press the F1 key (help menu.) The exploit could then execute malicious code on a victim machine. (Windows versions that are not vulnerable are: Vista, Win7, Server08 R2 and Server08.) ...

Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla. The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.” ...