Thread-topic: 0-day exploit in wild: Microsoft Internet Explorer VML Code Execution Vulnerability-
Message: 6
Date: Tue, 19 Sep 2006 03:06:27 -0400
From: "Eric Sites" <erics@xxxxxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] [SECURITY] Sunbelt Software: New Microsoft
Internet Explorer Expolit - 9-18-2006
To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Message-ID:
<E4F8FCFF12A98B4C9597295538AD7E4B378356@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"
Sunbelt Software Security Advisory
Description:
A new Microsoft Internet Explorer exploit has been found in the wild by
Sunbelt Software Security Researchers.
This exploit uses a buffer overflow in the IE's VML code to execute code
remotely. Contact eric@xxxxxxxxxxxxxxxxxxxx for further information.
Analysis:
Analysis information and exploit code has been released to security
companies and security researchers. This exploit currently affects fully
patched versions of Microsoft Internet Explorer 6 on Windows XP Home and
Windows XP Professional. Other Microsoft Windows versions and Microsoft
Internet Explorer versions are being tested.
Chronology:
9/15/2006 - Found in the wild but was unable to confirm.
9/18/2006 - Reliable exploit found on multiple websites.
9/18/2006 - Exploit used to install Virtumonde.
9/18/2006 - Exploit websites changed to install Virtumonde plus the
following malware - Trojan-PSW.Win32.Sinowal.aq, BookedSpace Browser
Plug-in , AvenueMedia.InternetOptimizer, Claria.GAIN.CommonElements,
Mirar Toolbar, 7FaSSt Toolbar, webHancer, Trojan.SvcHost, Trojan.Delf,
Begin2Search Toolbar, MediaMotor Trojan Downloader,
Trojan-Downloader.Winstall, TargetSaver Browser Plug-in, InternetOffers
Adware, SurfSideKick, Trojan.Vxgame , SafeSurfing.RsyncMon,
Trojan-Downloader.Small , Freeprod/Toolbar888,
ConsumerAlertSystem.CASClient, SpySheriff, Trojan-Downloader.Qoologic,
Zenotecnico, Command Service , WebNexus, Webext Browser Plug-in,
CWS.Dialerz, DollarRevenue , Trojan-Downloader.Gen, Danmec.B-dll,
Traff-Acc , EliteMediaGroup , NetMon, TagASaurus,
Trojan-Downloader.Win32.Small.awa, FullContext.EQAdvice,
Trojan-Clicker.Win32.VB.ij, Yazzle.Cowabanga Misc, Backdoor.Shellbot,
Trojan.Danmec , TopInstalls.Banners, Trojan-Dropper.Delf.VA,
Adware.Batty, Trojan-Downloader.Win32.Small.cyh, Toolbar.CommonElements,
Trojan.Win32.PePatch.dw , Backdoor.Win32.Delf.aml, BookedSpace.
9/18/2006 - Reported to Microsoft Security and other Security Companies
and Researchers
Credits:
Adam Thomas, Security Researchers at Sunbelt Software
Eric Sites, VP of Research & Development at Sunbelt Software
Security Research Team at Sunbelt Software
Related Links:
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
ing.html
http://research.sunbelt-software.com/http://www.sunbelt-software.com/
Copyright (c) 2006 Sunbelt Software
Eric Sites
VP of Research & Development
Sunbelt Software
eric@xxxxxxxxxxxxxxxxxxxx
------------------------------
Message: 7
Date: Tue, 19 Sep 2006 00:51:21 -0500 (CDT)
From: Gadi Evron <ge@xxxxxxxxxxxx>
Subject: [Full-disclosure] Yet another 0day for IE
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: botnets@xxxxxxxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <Pine.LNX.4.21.0609190037050.32170-100000@xxxxxxxxxxxx>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sunbelt Software released a warning on a new IE 0day they detected
in-the-wild, to quote them:
"The exploit uses a bug in VML in Internet Explorer to overflow a buffer
and inject shellcode. It is currently on and off again at a number of
sites.
Security researchers at Microsoft have been informed. This story is
developing and research is ongoing. Security professionals can contact
me for collaboration or further information. This exploit can be
mitigated
by turning off Javascripting."
They also notified some closed and vetted security information sharing
groups on the matter, with further details. You can find their blog
entry
here:
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
ing.html
That's that.
Why do I call it a 0day? Because it has indeed been used in-the-wild
before it was publicly discovered. People are CURRENTLY and for a while
now, being exploited.
Lately we call every exploit being released in full disclosure mode a
0day. That's a 1-day or at least it has to be from now on, as there are
just too many of those and there are more to come.
This trend started with Websense detecting an IE 0day (not really IE
- WMF) used in-the-wild by spyware, to infect users.
"Responsible disclosure" is important, but when it takes so long to get
a
response or a fix with "Irresponsible vendors", and with so much money
to
be made by not disclosing vulnerabilities at all - it is becoming
passe. New exploits don't need to be gleamed from patches or feared in
full disclosure. Someone just pays for a 0day.. it's their business and
they invest in it.
So:
1. Lots more coming.
2. Please call it a 1-day if it's full disclosure mode, and 0day if it
has been seen in-the-wild.
The motivation has now moved from "let's be responsible" or "let's have
fun" to "let's make money" or "let's stop waiting and be mocked by
irresponsible vendors". This is not about everybody, it's about how
things are.
Even idefense and zdi can't pay enough when compared with people who
make
money from what the 0day gives them - exploited users and a money making
botnet.
Thanks,
Gadi.