Internet Explorer Could Have A Huge Security Hole

[jko]

Users of several Internet Explorer versions are being urged on Monday to switch to other browsers such as Chrome or Firefox amid news of a major security hole.

According to Rapid7 security forum, a new zero-day exploit for Internet Explorer 7, 8, and 9 has hit computers running Windows XP, Vista and 7. Zero-day exploits involve software that takes advantage of a security hole within a site to carry out an attack.

Source

Article

[ITGabs]

nice exploit!

how easy to get the full control of a windows machine

[MJCM]

Microsoft EMET (The Enhanced Mitigation Experience Toolkit) could be the solution for some users with this problem.

http://www.nbcnews.com/technology/technolog/microsoft-urges-customers-install-security-tool-1B5948322#/technology/technolog/microsoft-urges-customers-install-security-tool-1B5948322

What is EMET ?

http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

Emet Download here:

http://www.microsoft.com/en-us/download/details.aspx?id=29851

[Pib]

OK I switched to Chrome, but then read an article that Chrome also has security problems. So, I then switched to Firefox, but then read an article that Firefox also has security problems. So, in frustration I switched back to IE, but just for a day. To keep the bad guys confused every other day I will randomly use either IE, Chrome, or Firefox; or will this just give different bad guys a higher change of hacking my computer...maybe it's time just not to worry too much about it....take normal precautions...keep your OS and other software updated with emphasis on keeping your Firewall and AntiVirus programs up to date and not visiting certain type web sites.

Edited September 18, 2012 by Pib

[davejones]

A security risk with IE? Surely not.

I fail to see why anyone still uses it.

[Chicog]

A security risk with IE? Surely not.

I fail to see why anyone still uses it.

They all have Security risks, if you think not using IE makes you safe, think again.

[MJCM]

Microsoft has released a Security Advisory (2757760)

http://technet.microsoft.com/en-us/security/advisory/2757760

Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Suggested Actions

• Deploy the Enhanced Mitigation Experience Toolkit
  Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from successfully being exploited by applying in-box mitigations such as DEP to applications configured in EMET.
  At this time, EMET is provided with limited support and is only available in the English language. For more information, see Microsoft Knowledge Base Article 2458544.
  Configure EMET for Internet Explorer from the EMET user interface
  To add iexplore.exe to the list of applications using EMET, perform the following steps:
  
  1. Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 3.0.
     
  2. Click Yes on the UAC prompt, click Configure Apps, then select Add. Browse to the application to be configured in EMET.
     For 32-bit installations of Internet Explorer the location is:
     C:\Program Files (x86)\Internet Explorer\iexplore.exe
     Note For 32-bit systems, the path is c:\program files\Internet Explorer\iexplore.exe
     For 64-bit installations of Internet Explorer the location is:
     C:\Program Files\Internet Explorer\iexplore.exe
     
  3. Click OK and exit EMET.
     

  Configure EMET for Internet Explorer from a command line

  • For 32-bit installations of IE on 64-bit systems, run the following from an elevated command prompt:
    "c:\Program Files (x86)\EMET\EMET_Conf.exe"--add "c:\Program Files (x86)\Internet Explorer\iexplore.exe"
    Note For 32-bit systems, the path for EMET is c:\Program Files\EMET\EMET_Conf.exe and the path for IE is c:\Program Files\Internet Explorer\iexplore.exe
    
  • For x64 installations of IE, run the following from an elevated command prompt:
    "c:\Program Files (x86)\EMET\EMET_Conf.exe"--add "c:\Program Files\Internet Explorer\iexplore.exe"
    
  • If you have completed this successfully, the following message displays:
    "The changes you have made may require restarting one or more applications"
    
  • If the application has already been added in EMET, the following message displays:
    Error: "c:\Program Files (x86)\Internet Explorer\iexplore.exe" conflicts with existing entry for "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    

  [*]Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

  You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

  To raise the browsing security level in Internet Explorer, perform the following steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
     
  2. In the Internet Options dialog box, click the Security tab, and then click Internet.
     
  3. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
     
  4. Click Local intranet.
     
  5. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
     
  6. Click OK to accept the changes and return to Internet Explorer.
     

  Note If no slider is visible, click Default Level, and then move the slider to High.

  Note Setting the level to High may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

  Impact of workaround. There are side effects to blocking ActiveX Controls and Active Scripting. Many websites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Blocking ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. If you do not want to block ActiveX Controls or Active Scripting for such sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

  Add sites that you trust to the Internet Explorer Trusted sites zone

  After you set Internet Explorer to block ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect yourself from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

  To do this, perform the following steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
     
  2. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
     
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
     
  4. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add.
     
  5. Repeat these steps for each site that you want to add to the zone.
     
  6. Click OK two times to accept the changes and return to Internet Explorer.
     

  Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.[*]Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

  You can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, perform the following steps:

  1. In Internet Explorer, click Internet Options on the Tools menu.
     
  2. Click the Security tab.
     
  3. Click Internet, and then click Custom Level.
     
  4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
     
  5. Click Local intranet, and then click Custom Level.
     
  6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
     
  7. Click OK two times to return to Internet Explorer.
     

  Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

  Impact of workaround. There are side effects to prompting before running Active Scripting. Many websites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

  Add sites that you trust to the Internet Explorer Trusted sites zone

  After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

  To do this, perform the following steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
     
  2. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
     
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
     
  4. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add.
     
  5. Repeat these steps for each site that you want to add to the zone.
     
  6. Click OK two times to accept the changes and return to Internet Explorer.
     

  Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

[Pib]

I'm glad the Suggested Actions are simple and straight forth.

[Chicog]

nice exploit!

how easy to get the full control of a windows machine

Not necessarily "Full Control" - but access at the equivalent logged-in user's level.

[ITGabs]

nice exploit!

how easy to get the full control of a windows machine

Not necessarily "Full Control" - but access at the equivalent logged-in user's level.

yes, but it's easier to jump and run something as system, it's the same for install a software as a second step.

[ITGabs]

A security risk with IE? Surely not.

I fail to see why anyone still uses it.

They all have Security risks, if you think not using IE makes you safe, think again.

The difference between IE and other browsers is that IE is embedded into the system, you can't uninstall it, and many programs use the interfaces of IE for the layout inclusive antivirus, so if IE is infected the risk is potencialy bigger than an alternative browser, and the patches take more time than popular browsers.

Firefox it's safer in my opinion/experience but security problems are everywhere and more related to an user behavior more that a software problem.

Do you know some exploit in Firefox, Chrome or Opera that allow you to get the same access or more than this exploit? probably not

[Chicog]

The thing about Firefox and Chrome (and even Apple) is that when they hear about exploits they quietly fix them.

Both Microsoft and Oracle are guilty of letting exploits hang around for so long that sooner or later they get out to the wild, and people start developing tools for them, which is why they are in the mess they're in now.

Oracle in particular are very bad - they have said they will fix the Java exploit on October 16th, giving people ample time to play around with it.

Microsoft will probably patch this quite quickly, because they won't want to be losing Browser customers.

And the EMET patch and associated Browser security mods will probably mitigate it for most people until it's fixed.

Apple are absolutely riddled with exploits, but every time they roll out an update, they fix them, usually before they become public knowledge.

Facebook pay people to find exploits; they'll send them an FB prepaid card and top it up with their assessment of the value of the work.

[Chicog]

nice exploit!

how easy to get the full control of a windows machine

Not necessarily "Full Control" - but access at the equivalent logged-in user's level.

yes, but it's easier to jump and run something as system, it's the same for install a software as a second step.

In English please? Do you mean Privilege escalation on a fully patched machine is possible, yes, to a very skilled practicioner of the dark arts.

[Chicog]

TechNet Blogs > MSRC > Additional information about Internet Explorer and Security Advisory 2757760

Additional information about Internet Explorer and Security Advisory 2757760

MSRCTeam

18 Sep 2012 2:52 PM

• 
  

We will release a Fix it in the next few days to address an issue in Internet Explorer, as outlined in the Security Advisory 2757760 that we released yesterday.

While we have only seen a few attempts to exploit the issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online.

The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer.

This Fix it will be available for everyone to download and install within the next few days. Until then, we encourage folks to review the advisory and follow the other mitigations listed there.

Thanks,

Yunsun Wee,

Director, Trustworthy Computing

[MJCM]

An out-of-band security bulletin from Microsoft

Published: Wednesday, September 19, 2012

Version: 2.0

This is an advance notification for one out-of-band security bulletin that Microsoft is intending to release on September 21, 2012. The bulletin addresses security vulnerabilities in Internet Explorer.

This bulletin advance notification will be replaced with the September bulletin summary on September 21, 2012. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

For those who can't wait there is a Fix It (work around) available from Microsoft

http://support.microsoft.com/kb/2757760

Note: For those who want to apply the MS Fix It solution, should know that the Fix It should be undone prior to the out-of-band fix that MS will be releasing !

And some more technical info on attack

https://blogs.technet.com/b/srd/archive/2012/09/19/more-information-on-security-advisory-2757760-s-fix-it.aspx?Redirected=true

Edited September 20, 2012 by MJCM

[Chicog]

Funny - send a message to Aramco and if it has a link it in they are bouncing every single one.

[MJCM]

^ Once Bitten twice shy

[Chicog]

^ Once Bitten twice shy

Bitten? If the stuff I've been getting is true, they are still being heavily gnawed. Apparently they have apologised because they still can't pay their bills.

[nikster]

I'm glad the Suggested Actions are simple and straight forth.

ROFL

There's a much simpler, quicker fix: https://www.google.com/intl/en/chrome/browser/

I think Chrome is the best because Google is constantly and silently updating it.

[Chicog]

Re the "Fix It" by the way: You must apply all outstanding IE patches before you run it or it won't work. If you can't do that, might as well wait.

[MJCM]

Microsoft released the Patch and my Windows Update offered it this morning.

http://technet.micro...lletin/ms12-063

[ITGabs]

End of the problem