Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: ALERT New zero day virus on the move ALERT

  1. #1
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506

    ALERT New zero day virus on the move ALERT

    SECURITY outfit Sunbelt says that it has seen a nasty new Zero Day exploit which exploits a VML vulnerability in IE. Writing in his bog, Sunbelt's research boffin Eric Sites said that the hack was discovered coming from a pron site. We guess someone was testing the porn site for security issues when they noticed the exploit taking place.
    The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It has been seen at a number of different sites since its first appearance.
    The exploit can be stopped by turning off Javascripting. Alternatively, you could wipe Windows from your hard-drive and install Linux with Firefox.

    http://www.theinquirer.net
    ------------------------------------------------------------



  2. #2
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,366
    I like the second option

  3. #3
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    For those interested among you there is a test page to see if you are vulnerable (you are unless you installed the patch or unregistered the Dll manually) at http://www.isotf.org/zert/testvml.htm and if you visit it using Internet Explorer on most versions of Windowz IE will crash - Vista + IE7 doesn't, which is nice.

    PS Turning off javascript won't help you.
    I'm using Windows 7 - you got a problem with that?

  4. #4
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,333
    This is a test page to determine whether your browser is vulnerable to the VML vulnerability specified in CVE-2006-4868.

    Since your browser is not Internet Explorer 5 or higher it does not support the vulnerable VML module, and you are therefor not vulnerable.

  5. #5
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Many applications in windows use part of IE to render html - outlook, outlook Express for example. You are still vulnerable if you use any app that does this and they are not all obvious (Quickbooks as an example). Using Firefox therefore don't necessarily save you either, cos you will be getting it in spam etc.....
    I'm using Windows 7 - you got a problem with that?

  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    if your settings are not set up correctly for default browsers you can simply click on a link a buddy sent to you in msn and internet explorer will open and you would be hosed. Internet satellight tv prgrams such as tv ants opens internet explorer no matter what your settings and that is how these programs get in. Think how mad you will be if you only use Firefox and you gedt spyware becuase some weather program updates using IE behind your back.....?
    ------------------------------------------------------------



  7. #7
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,041
    From ZERT:

    By downloading this patch you agree that the patch is a non-vendor supplied patch and you are using this patch of your own accord. You also agree ISOTF/ZERT supplies this patch on an AS-IS basis and that you are using this patch at your own risk.

    Download and instructions

    To download the patch follow the link: zert2006-01.zip (60KB md5:78721c4a3b2493c13c8bb0c3f9d9786b )
    This file contains GUI and command-line versions of patch, a readme and source code.
    You need to close Internet Explorer, Outlook and other programs that may be using the DLL before you attempt to patch.


    Test your system once you are patched! by using our test page:
    After installing this patch you can test your IE browser by visiting a special page. A patched browser will not crash when it visits this page.

    If your browser shows a red-square when visiting the page, your browser is patched or does not need the patch.

    Important note about the vendor's eventual patch
    It is important to rollback the ZERT patch (unpatch - remove our patch) before applying any future vendor patch.
    We unregister the vulnerable DLL, replace the vulnerable function and register vgxnew.dll as the handler for VML.
    A Microsoft patch would potentially fix a DLL not being used, so unpatching is important at that stage. We enable complete rollback in our patch


    Installation options
    Before installing the patch you must close both Internet Explorer and Outlook. To install the patch first extract the folder, ZPatch, from the archive.
    You may use either the GUI interface which is located in ZPatch\Release or the command line version with is located in Zpatch\Console\Release.
    The archive includes a Microsoft Visual Studio project for each version of the patch.

    To use the patch, run the GUI executable and click on "Patch". To remove the patch click on "Rollback".
    For the command prompt version, use --patch and --unpatch respectively.
    When patching an AMD64 system, browse (by clicking on Br) and choose the DLL manually.

    =========== Please Read The Forum Rules ===========

  8. #8
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,366
    I tried the test page with both firefox and IE
    And in IE it crashed, proving that it works
    (or I was just curious how it would crash)

  9. #9
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,041
    Official Microsoft patch released today: http://www.techzonez.com/comments.php?shownews=19351

    also available via Windows Update

    =========== Please Read The Forum Rules ===========

  10. #10
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Doesn't cover the second vuln though does it, the daxctle.ocx one. Which apparently is also full remote code execution see http://www.frsirt.com/english/advisories/2006/3593
    I'm using Windows 7 - you got a problem with that?

  11. #11
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,041
    Quote Originally Posted by Curio View Post
    Doesn't cover the second vuln though does it, the daxctle.ocx one.
    No, but this thread is about the VML vulnerability.

    =========== Please Read The Forum Rules ===========

  12. #12
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    remote execution with daxctle.ocx

    eeew

    when will that be fixed?
    ------------------------------------------------------------



  13. #13
    Nobody knows I'm a dog. TZ Veteran petard's Avatar
    Join Date
    Feb 2003
    Location
    Newspapastan
    Posts
    1,050
    So I guess this is a bad time to say I use a mac notebook at work?

    Many thanks to egghead for the cool .sig

  14. #14
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,041
    Quote Originally Posted by egghead View Post
    remote execution with daxctle.ocx

    eeew

    when will that be fixed?
    Here's the Microsoft Security Advisory (925444). I presume it may be patched in the next round of updates which are due on 10th Oct.

    =========== Please Read The Forum Rules ===========

  15. #15
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Here is a registry patch to set the kill bit for the control and therefore mitigate the threat of the second one. There is already exploit code available for this threat so soon enough it will be all over web sites. Or is this the wrong thread?
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •