Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Changed Infocon status to Yellow, re: Windows Internet Explorer vulnerability

Published: 2005-11-21
Last Updated: 2005-11-21 23:18:29 UTC
by Mike Poor (Version: 1)
0 comment(s)
Infocon has been raised to Yellow due to the exploit being publicly available, combined with the lack of a patch for this specific vulnerability.  Disable Javascript in your Internet Explorer browsers, or switch to another browser.  We have received reports that Safari suffers from a DOS condition, but I have not been able to replicate it with Safari running on 10.3 or 10.4 series OSX machines.

Mike Poor
Handler on Duty
Intelguardians
Keywords:
0 comment(s)

Snort Rule released on BleedingSnort for the Windows Javascript vulnerability

Published: 2005-11-21
Last Updated: 2005-11-21 21:54:22 UTC
by Mike Poor (Version: 1)
0 comment(s)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet
Explorer Window() Possible Code Execution"; flow:established,from_server;
content:"window"; nocase; pcre:"/[=:'"s]windows*(s*)/i";
reference:url,secunia.com/advisories/15546; \  reference:url,www.computerterrorism.com/research/ie/ct21-11-2005;
reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:1; )


Download it directly from here:

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_Internet_Explorer?view=markup


Please let us know about problems with this rule, and/or when you notice sites hosting/performing this exploit.

thanks!

Mike Poor
Handler on Duty
Intelguardians
Keywords:
0 comment(s)

* Internet Explorer 0-day exploit

Published: 2005-11-21
Last Updated: 2005-11-21 20:15:54 UTC
by Johannes Ullrich (Version: 4)
0 comment(s)
the UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.

The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.

Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

In addition ot the PoC 'Calculator' exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.

In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.

Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.


Keywords:
0 comment(s)
Diary Archives